Keycloak HTTP Parameter Pollution Vulnerability Allowing OIDC Response Parameter Duplication

A vulnerability exists in Keycloak, an open-source identity and access management solution, due to improper handling of redirect URIs when wildcard redirects are allowed. This flaw, categorized as HTTP parameter pollution, enables remote attackers to manipulate the authentication process by crafting links that prioritize attacker-controlled information over legitimate data. Exploitation requires the client application to use a 'first-wins' strategy for duplicate query parameters, which is not universally applied.

Impact

Exploitation of this vulnerability could lead to unauthorized access to resources by allowing attackers to bypass security measures through the manipulation of OIDC response parameters.

Reproduction

To reproduce this vulnerability, configure a Keycloak client to accept wildcard redirect URIs. Once this is set, an attacker can create a malicious authorization URL that includes duplicate OIDC response parameters. When a user clicks this link, the client application may process the attacker-controlled parameters first, due to the 'first-wins' parsing strategy, leading to a polluted redirect that could bypass security controls.