User in Realm-1 can list users in Realm-2 via API. How to restrict?


This topic contains 5 replies, has 3 voices, and was last updated by 7 months, 2 weeks ago.

  • Author
  • #11419

    User-1 in Realm-1 can list users in Realm-2 using User-1’s token via API.
    How to restrict?

     Peter Major 

    Please provide curl examples for this. Most likely you are just calling the wrong realm’s endpoint.



    1. Authenticate as a user in Realm-1 (userName: tester1)
    API: http://fr.test.loc/sso/json/realm1/authenticate
    Response: Received token String

    2. Executed API to list users in Realm-2, using previous token (Realm-1 user’s token)
    API: http://fr.test.loc/sso/json/realm2/users?_queryId=*&_fields=uid,cn,sn,givenName
    Response: It lists all users in realm2 using realm1-user’s token

    3. Both realm DNs are different and both comes under master realm in same level.

    Same way i can access realm1’s users using realm2 user token.
    This is the scenario i tried, whats the issue with it?

    • This reply was modified 2 years, 8 months ago by  Firos.

    What’s the issue with it?

     Peter Major 

    Looks like absolutely nothing. It appears you ran into a bug.


    We have encountered this issue. Was a bug raised for this?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?