security enhancement : representation of admin events & credentials #17470
Comments
regilero
added
kind/enhancement
pedroigor
added a commit
to pedroigor/keycloak
that referenced
this issue
Jul 10, 2023
pedroigor
added a commit
to pedroigor/keycloak
that referenced
this issue
Jul 10, 2023
pedroigor
added a commit
to pedroigor/keycloak
that referenced
this issue
Jul 10, 2023
This was referenced Jul 10, 2023
pedroigor
added a commit
to pedroigor/keycloak
that referenced
this issue
Jul 10, 2023
stianst
pushed a commit
that referenced
this issue
Jul 11, 2023
ghost
removed
the
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Ensure user secret credentials exchanged via some REST API calls (like user creation) cannot be saved in database if admin events are saved with representations (not the default).
Discussion
classified as security enhancement by security team.
Motivation
for triage: this is an
area/corerather thanarea/storagethis is contents-related (what is stored) rather than storage-related (where and how it is stored) issue.Details
Problem tested on Keycloak 15.x and 20.03.
How to reproduce problems
They are maybe other paths to this problem. My personal experience is
with user creation via an external application, using the Keycloak Admin REST API for user creation (register via a
third party application).
We use a service account with administrative rights on realm-management.
User creation is a POST on
${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/userswith some json data:{"email":"[foobar@example.com](mailto:foobar@example.com)","username":"[foobar@example.com](mailto:foobar@example.com)","enabled":true,"credentials":[{"type":"password","value":"fooFoo42"}]}This data contains a 'credentials' section, here with a password.
In events configuration
(
/admin/master/console/#/<realm>/realm-settings/events), on the 'Adminevents settings' tab 'Save Events' and 'Include Representation' are both activated (not the default).
After creating the user a 'CREATE USER' admin event is rightly
recorded on admin events. The stored representation of this event is
the full json unaltered. Containing the full 'credentials' section.
Solutions
I think all the credentials sections of these events should not be included in the final stored representation, avoiding database storage of passwords (replacing it with stars for example).
Checking the REST API format for CredentialRepresentation
(https://www.keycloak.org/docs-api/20.0.3/rest-api/index.html#_credentialrepresentation)
I think this may include "value", "secretData" and "credentialData"
fields. But other fields may also need this.
The CredentialRepresentation may not be the only item impacted. Any data
that is never stored as a cleartext field in the final database table should not
be stored in clear in the event log table.
The text was updated successfully, but these errors were encountered: