You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ensure user secret credentials exchanged via some REST API calls (like user creation) cannot be saved in database if admin events are saved with representations (not the default).
Discussion
classified as security enhancement by security team.
Motivation
for triage: this is an area/core rather than area/storage this is contents-related (what is stored) rather than storage-related (where and how it is stored) issue.
Details
Problem tested on Keycloak 15.x and 20.03.
How to reproduce problems
They are maybe other paths to this problem. My personal experience is
with user creation via an external application, using the Keycloak Admin REST API for user creation (register via a
third party application).
We use a service account with administrative rights on realm-management.
User creation is a POST on ${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users with some json data:
This data contains a 'credentials' section, here with a password.
In events configuration
(/admin/master/console/#/<realm>/realm-settings/events), on the 'Admin
events settings' tab 'Save Events' and 'Include Representation' are both activated (not the default).
After creating the user a 'CREATE USER' admin event is rightly
recorded on admin events. The stored representation of this event is
the full json unaltered. Containing the full 'credentials' section.
Solutions
I think all the credentials sections of these events should not be included in the final stored representation, avoiding database storage of passwords (replacing it with stars for example).
The CredentialRepresentation may not be the only item impacted. Any data
that is never stored as a cleartext field in the final database table should not
be stored in clear in the event log table.
The text was updated successfully, but these errors were encountered:
Description
Ensure user secret credentials exchanged via some REST API calls (like user creation) cannot be saved in database if admin events are saved with representations (not the default).
Discussion
classified as security enhancement by security team.
Motivation
for triage: this is an
area/core
rather thanarea/storage
this is contents-related (what is stored) rather than storage-related (where and how it is stored) issue.Details
Problem tested on Keycloak 15.x and 20.03.
How to reproduce problems
They are maybe other paths to this problem. My personal experience is
with user creation via an external application, using the Keycloak Admin REST API for user creation (register via a
third party application).
We use a service account with administrative rights on realm-management.
User creation is a POST on
${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users
with some json data:This data contains a 'credentials' section, here with a password.
In events configuration
(
/admin/master/console/#/<realm>/realm-settings/events
), on the 'Adminevents settings' tab 'Save Events' and 'Include Representation' are both activated (not the default).
After creating the user a 'CREATE USER' admin event is rightly
recorded on admin events. The stored representation of this event is
the full json unaltered. Containing the full 'credentials' section.
Solutions
I think all the credentials sections of these events should not be included in the final stored representation, avoiding database storage of passwords (replacing it with stars for example).
Checking the REST API format for CredentialRepresentation
(https://www.keycloak.org/docs-api/20.0.3/rest-api/index.html#_credentialrepresentation)
I think this may include "value", "secretData" and "credentialData"
fields. But other fields may also need this.
The CredentialRepresentation may not be the only item impacted. Any data
that is never stored as a cleartext field in the final database table should not
be stored in clear in the event log table.
The text was updated successfully, but these errors were encountered: