Keycloak Authentication Bypass Vulnerability in Identity Broker Service

An authentication bypass vulnerability has been identified in the Keycloak Identity Broker Service, specifically within the performLogin endpoint. This flaw allows authentication to proceed through an Identity Provider (IdP) that has been disabled by an administrator. The vulnerability arises because the login process does not properly re-validate the IdP's status at the time of authentication. As a result, an attacker who knows the IdP alias can exploit this issue by reusing a previously generated login request, effectively bypassing administrative controls and potentially gaining unauthorized access via a disabled external provider.

Impact

Exploiting this vulnerability can lead to unauthorized authentication through a disabled Identity Provider, bypassing administrative access controls. This could allow access to resources or functionalities that rely on the IdP for authentication, depending on the trust level of the external provider.

Reproduction

To reproduce this vulnerability, first, ensure that an Identity Provider is enabled in Keycloak and that a login request has been generated. Once this is done, disable the IdP through the administrative console. Despite the IdP being disabled, the performLogin endpoint can still be accessed by manually invoking the broker login URL with the appropriate session parameters. This will initiate the authentication flow with the disabled IdP, bypassing the administrative restriction.