IPs allowlists
IPs allowlist for the login and admin urls of Keycloak deployments can be configured through the Cloud IAM dashboard and API.
Cloud-IAM has two types of IPs alllowlist
OpenID APIs endpoints: these urls are related with the end-user (Cloud-IAM customer's own customers) endpoints for login, sign up, forgot password and the underneath REST APIs required to get authenticated and generate JWT access tokens
Keycloak REST Admin endpoints: these urls are related with the Keycloak administration console and Keycloak admin REST API endpoints.
The entries of the allowlists are either a single IP address or in CIDR format. They are checked sequentially until a match is found. If no rule matches, the allow directive is applied.
Each time an allowlist is updated through the API or the dashboard, a zero downtime re-deployment is triggered to apply the new settings.
By default allowlist are configured to allow any ip to connect. Cloud-IAM team recommends to configure both allowlists accordingly to your security requirements.
Cloud-IAM has two types of IPs alllowlist
OpenID APIs endpoints: these urls are related with the end-user (Cloud-IAM customer's own customers) endpoints for login, sign up, forgot password and the underneath REST APIs required to get authenticated and generate JWT access tokens
Keycloak REST Admin endpoints: these urls are related with the Keycloak administration console and Keycloak admin REST API endpoints.
The entries of the allowlists are either a single IP address or in CIDR format. They are checked sequentially until a match is found. If no rule matches, the allow directive is applied.
Each time an allowlist is updated through the API or the dashboard, a zero downtime re-deployment is triggered to apply the new settings.
By default allowlist are configured to allow any ip to connect. Cloud-IAM team recommends to configure both allowlists accordingly to your security requirements.
Updated on: 26/09/2022
Thank you!