Reputation: 1
How malicious user can use leaked Keycloak client_id and client_secret credentials?
I'm analyzing the impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838).
Basically, the CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, I've read about the possibility of generating a new JWT access_token and resigning it with the client_secret. Is this really possible given that the access_token generated by Keycloak uses RS256 and the refresh_token generated uses HS256? I ask this because to generate a new access_token, wouldn't it be necessary to possess the key pair (Public and Private) and thus generate a new token?
Considering the versions affected by this vulnerability, I would like to understand the main impacts of this client_secret leakage in a scenario where the Authorization Code Flow is enabled.
References:
- https://security.stackexchange.com/questions/138816/what-is-the-worst-that-can-happen-if-your-oauth-client-secret-is-leaked
- https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret
Analyze the impact of leaked client_id and client_secret.
Upvotes: 0
Views: 229
Answers (0)
Related Questions
- How can I sanitize user input with PHP?
- Keycloak - receiving account service roles in JWT token, but expect custom roles
- Google Oauth refresh_token has expiration time in Google Workspace with Internal User Type?
- How to protect frontend and rest API with Keycloak
- How to block access of specific client and revoke his issued tokens in admin console
- How can I force Keycloak to use an Authorization header when connecting to an identity provider's token endpoint?
- how to get a token in js webapp for bearer-only backend client
- OAuth access token and refresh token creation