Keycloak Implicit Flow Bypass and Access Token Disclosure Vulnerability

A vulnerability in Keycloak allows low-privilege users to bypass security controls that disable implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain access tokens that should not be available. This issue also risks exposing these tokens in server logs, proxy logs, and HTTP Referrer headers, leading to unauthorized disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to implicit flow access tokens, which can be disclosed through various logging mechanisms, including server logs, proxy logs, and HTTP Referrer headers.

Remediation

To mitigate this vulnerability, restrict network access to the Keycloak authentication endpoint to trusted clients and networks. Implement firewall rules to control inbound connections to the Keycloak service ports, reducing the attack surface. Ensure that these network restrictions remain in effect after reloading or restarting the Keycloak service.