Keycloak Insecure Direct Object Reference Vulnerability in Authorization Services Protection API

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Keycloak's Authorization Services Protection API endpoint. This vulnerability allows authenticated clients to bypass authorization checks and access resources belonging to other Resource Servers within the same realm. By knowing or obtaining the unique identifier (UUID) of a resource from another Resource Server, the client can perform unauthorized GET, PUT, and DELETE operations on those resources. This could lead to unauthorized modification or deletion of data, as well as information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized access to resources, bypassing authorization checks, and performing unauthorized operations such as modification or deletion of data on behalf of another Resource Server.

Reproduction

To reproduce this vulnerability, first configure a Keycloak realm with two clients (clientA and clientB) that have Authorization Services enabled. Ensure that 'allowRemoteResourceManagement' is set to true. Create a resource under clientB and note its UUID. Then, obtain a client_credentials token for clientA. Using this token, send a GET request to the Authorization Services Protection API endpoint for the resource UUID belonging to clientB. The response will include clientB's resource data, indicating successful exploitation. The same can be done with PUT and DELETE requests, although DELETE may fail with an authorization error in certain Keycloak versions.