Keycloak OpenID Connect Token Introspection Endpoint Audience Bypass Vulnerability

An access control vulnerability has been identified in Keycloak's OpenID Connect (OIDC) token introspection endpoint. This flaw allows a confidential client to bypass audience restrictions, enabling the retrieval of sensitive token claims intended for other resource servers. The vulnerability arises because the introspection endpoint does not properly validate that the client making the request is included in the token's audience claim before disclosing information. As a result, an attacker-controlled client with valid credentials can intercept or obtain access tokens meant for different audiences and access the full set of claims, including sensitive information that should have been excluded from lightweight access tokens. This issue can be exploited remotely by any confidential client within the same realm that has valid credentials.

Impact

Exploitation of this vulnerability allows unauthorized confidential clients to access sensitive token claims from intercepted or misappropriated access tokens, violating the confidentiality of lightweight access tokens and exposing attributes intended solely for legitimate resource servers.