EminemJK
commented
2 years ago @brockallen Thank you guys
Closed EminemJK closed 2 years ago
EminemJK
commented
2 years ago @brockallen Thank you guys
gromatluidgi
commented
2 years ago @EminemJK As I know there is no security risk with the discovery endpoints, which is helpfull for external clients to build request to the Identity Server.
I think the issue may be due to your client app using a third party libs for query IS4 ?
Did you try to perform an access token request to IS4 with a tool like postman ?
EminemJK
commented
2 years ago @gromatluidgi Thanks for your reply,but you misunderstand me,I found this when I was looking through the official documents:
The discovery endpoint can be used to retrieve metadata about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc. See the spec for more details.from:
https://identityserver4.readthedocs.io/en/latest/endpoints/discovery.html?highlight=.well-known%2Fopenid-configurationI see key material, so I'm concerned about security risks。
brockallen
commented
2 years ago I see key material, so I'm concerned about security risks。
It's public key only exposed on that endpoint.
EminemJK
commented
2 years ago @brockallen ok,thank you for your prompt reply
github-actions[bot]
commented
2 years ago This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
After I deploy IDS4, everyone can access documents ‘.well-known/openid-configuration’ and '.well-known/openid-configuration/jwks'. Is there any security risk ?
When I set
or
, I cannot access the Api through token, Can anyone give me a suggestion?