Closed EminemJK closed 2 years ago
@brockallen Thank you guys
@EminemJK As I know there is no security risk with the discovery endpoints, which is helpfull for external clients to build request to the Identity Server.
I think the issue may be due to your client app using a third party libs for query IS4 ?
Did you try to perform an access token request to IS4 with a tool like postman ?
@gromatluidgi Thanks for your reply,but you misunderstand me,I found this when I was looking through the official documents:
The discovery endpoint can be used to retrieve metadata about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc. See the spec for more details.
from:
https://identityserver4.readthedocs.io/en/latest/endpoints/discovery.html?highlight=.well-known%2Fopenid-configuration
I see key material
, so I'm concerned about security risks。
I see key material, so I'm concerned about security risks。
It's public key only exposed on that endpoint.
@brockallen ok,thank you for your prompt reply
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
After I deploy IDS4, everyone can access documents ‘.well-known/openid-configuration’ and '.well-known/openid-configuration/jwks'. Is there any security risk ?
When I set
or
, I cannot access the Api through token, Can anyone give me a suggestion?