Keycloak Client Policies Security Restriction Bypass Vulnerability Allowing Unauthorized ROPC Token Acquisition

A vulnerability exists in Keycloak's Client Policies within the 'org.keycloak.protocol.oidc' component. This flaw allows an unauthenticated remote attacker to bypass security restrictions enforced by certain condition providers (client-type, client-roles, client-attributes, client-scopes). When these providers are used, the 'reject-ropc-grant' executor is silently ignored, enabling the attacker to obtain tokens through a Resource Owner Password Credentials (ROPC) grant, despite explicit policy configurations to block such actions. This bypass could lead to unauthorized access and information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized acquisition of tokens via the Resource Owner Password Credentials (ROPC) grant, bypassing client policies intended to reject such requests. This could result in unauthorized access to resources or information protected by the acquired tokens.

Remediation

Keycloak administrators should review and adjust client policies that reject ROPC grants. It is recommended to avoid using the 'client-type', 'client-roles', 'client-attributes', or 'client-scopes' condition providers with the 'reject-ropc-grant' executor. Instead, policies should be configured to use the 'grant-type' condition provider for rejecting ROPC grants. A restart or reload of the Keycloak service may be necessary for these changes to take effect.