Admin API Protection

Protect Keycloak Admin REST API against privilege escalation and data exfiltration.

Requirements Coverage

REQ-ADMIN-001

Admin API endpoint whitelist

REQ-ADMIN-002

Block master realm admin operations

REQ-ADMIN-003

Block realm export operations

REQ-ADMIN-004

Block identity provider configuration changes

REQ-ADMIN-005

Detect and limit bulk operations

REQ-ADMIN-006

Limit user listing response size

REQ-ADMIN-007

Support read-only mode for admin API

REQ-ADMIN-008

Log all critical admin operations

Test Examples

ADMIN-001BLOCKED

Realm export blocked

Sample Request

curl https://keycloak-alg:8443/admin/realms/myapp/partial-export \
  -H 'Authorization: Bearer <admin-token>'

Expected Response

{"error":"access_denied","error_description":"Realm export operations are blocked by policy"}

ADMIN-002BLOCKED

Master realm change blocked

Sample Request

curl -X PUT https://keycloak-alg:8443/admin/realms/master \
  -H 'Authorization: Bearer <admin-token>' \
  -H 'Content-Type: application/json' \
  -d '{"enabled": false}'

Expected Response

{"error":"access_denied","error_description":"Master realm changes are blocked by policy"}