You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As you can see these headers are wrong now (user can override climes from JWT):
x-user-username contains admin and user
x-user-scope contains adminprofile and email
x-user-email contains admin@example.com and user@example.com
Expected behavior
headers passed to backend service shouldn't contain headers provided explicitly by user like admin. It allows to execute very bad attacks easily. Of course that behavior is desired only for configuration with propagate-claims.
The text was updated successfully, but these errors were encountered:
This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.
Describe the bug
A user can override claims when a configurations uses JWT validator with
propagate-claims
andheaders_to_pass
Your configuration file
Commands used
I have started keycloak locally, configured
test
realm with one user using command:After that I have started krakend:
Now I have to authenticate and then use the Access Token to execute request to Krakend
I see everything is fine in krakend logs
But now I'm going to execute the same request as before but I want to explicitly set headers
x-user-email
,x-user- username
andx-user-scope
Logs from krakend:
As you can see these headers are wrong now (user can override climes from JWT):
x-user-username
containsadmin
anduser
x-user-scope
containsadmin
profile
andemail
x-user-email
containsadmin@example.com
anduser@example.com
Expected behavior
headers passed to backend service shouldn't contain headers provided explicitly by user like
admin
. It allows to execute very bad attacks easily. Of course that behavior is desired only for configuration withpropagate-claims
.The text was updated successfully, but these errors were encountered: