Keycloak UMA Policy Bypass Vulnerability Allowing Unauthorized Access to Resources

A vulnerability exists in Keycloak that allows an authenticated user with the uma_protection role to bypass User-Managed Access (UMA) policy validation. This flaw enables the user to include resource identifiers from other users in a policy creation request, even if the specified URL path indicates an attacker-owned resource. As a result, the attacker can gain unauthorized access to resources owned by victims, obtain a Requesting Party Token (RPT), and access sensitive information or perform unauthorized actions.

Impact

Exploitation of this vulnerability allows for unauthorized access to victim-owned resources, facilitated by a bypass of UMA policy validation. This access includes the ability to obtain a Requesting Party Token (RPT) for those resources, which can be used to access sensitive information or perform actions on behalf of the victim.

Reproduction

To reproduce this vulnerability, an authenticated user with the uma_protection role can send a request to the /realms/{realm}/authz/protection/uma-policy/{resourceId} endpoint. The request can include a 'resources' array in the body that lists resource IDs owned by other users, bypassing the validation that only checks the resource ID in the URL path. Once the policy is created, the attacker can request an RPT for the victim's resources, gaining access to them.