Keycloak Server-Side Request Forgery Vulnerability in OpenID Connect Dynamic Client Registration

A blind server-side request forgery (SSRF) vulnerability has been identified in Keycloak's OpenID Connect Dynamic Client Registration feature, specifically when clients authenticate using private_key_jwt. The vulnerability arises because Keycloak does not validate the jwks_uri parameter provided by clients during registration. This lack of validation allows attackers to manipulate the Keycloak server into making HTTP requests to internal or restricted network resources. Consequently, attackers could probe internal services and access cloud metadata endpoints, leading to potential information disclosure and reconnaissance risks.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the Keycloak server is coerced into making requests to internal network resources. This could be used to access services running on localhost, probe internal RFC1918 addresses, or retrieve information from cloud metadata endpoints. Although the responses to these requests are not directly returned to the attacker, they can infer the availability of internal services through timing and error responses, facilitating internal network enumeration without authentication, particularly in environments that allow anonymous or token-based client registration.