Keycloak Metrics SPI Endpoint Protection

DallasP9124 · November 12, 2021, 7:16pm

We recently got the metrics SPI installed on our development server so that our Prometheus instance can scrape from it. What immediately concerns us is that there doesn’t seem to be any way of protecting this endpoint from public access in a production environment.

Is there a way to specify the port for this SPI or make it that only an authenticated admin can access it?

Or would be have to put Keycloak behind a gateway?

jangaraj · November 12, 2021, 8:43pm

Put it behind reverse proxy (nginx) and configure authorization for that metric endpoint on the proxy level. Don’t forget that each realm has this endpoint exposed.

Topic		Replies	Views
Metrics SPI & Prometheus Pushgateway with basic auth Extending the server	0	556	October 17, 2022
Can't access Keycloak Metrics Getting advice	4	82	April 2, 2025
Accessing metrics using prometheus Configuring the server	1	1595	June 19, 2023
Scraping http metrics while configuring keycloak for https Configuring the server	0	494	August 16, 2022
Keycloak Metrics SPI doesnt work with Keycloak v16 Configuring the server	9	4824	December 27, 2021

Keycloak Metrics SPI Endpoint Protection

Related topics