Admin-API-Schutz

Keycloak Admin REST API gegen Privilege Escalation und Datenexfiltration schützen.

Anforderungsabdeckung

REQ-ADMIN-001

Admin API endpoint whitelist

REQ-ADMIN-002

Block master realm admin operations

REQ-ADMIN-003

Block realm export operations

REQ-ADMIN-004

Block identity provider configuration changes

REQ-ADMIN-005

Detect and limit bulk operations

REQ-ADMIN-006

Limit user listing response size

REQ-ADMIN-007

Support read-only mode for admin API

REQ-ADMIN-008

Log all critical admin operations

Testbeispiele

ADMIN-001BLOCKIERT

Realm-Export blockiert

Beispiel-Request

curl https://keycloak-alg:8443/admin/realms/myapp/partial-export \
  -H 'Authorization: Bearer <admin-token>'

Erwartete Antwort

{"error":"access_denied","error_description":"Realm export operations are blocked by policy"}

ADMIN-002BLOCKIERT

Master-Realm-Änderung blockiert

Beispiel-Request

curl -X PUT https://keycloak-alg:8443/admin/realms/master \
  -H 'Authorization: Bearer <admin-token>' \
  -H 'Content-Type: application/json' \
  -d '{"enabled": false}'

Erwartete Antwort

{"error":"access_denied","error_description":"Master realm changes are blocked by policy"}