<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern</a><br>

    <br>

    CSRF prevention using a session token is really an application

    specific thing that Keycloak cannot handle automatically.   Even the

    referenced Tomcat filter requires that you manually encode every URL

    you publish.  Also, if you read the linked owasp doc, it doesn't

    recommend that you include CSRF tokens in URLs.  #1 it screws up

    browser caches, and #2 the token is still stored in browser history.<br>

    <br>

    IMO, CORS, specifically the Origin header, is the best and least

    intrusive approach to prevent CSRF.  Keycloak has support for that.<br>

    <br>

<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token</a><br>

    <br>

    <br>

    <br>

    <div class="moz-cite-prefix">On 2/22/2016 10:20 AM, Baskin, Ilia

      wrote:<br>

    </div>

    <blockquote

cite="mid:CY1PR07MB22001156C074D18D75A47D2BC4A30@CY1PR07MB2200.namprd07.prod.outlook.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=windows-1252">

      <meta name="Generator" content="Microsoft Word 14 (filtered

        medium)">

      <style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.MsoAcetate, li.MsoAcetate, div.MsoAcetate

        {mso-style-priority:99;

        mso-style-link:"Balloon Text Char";

        margin:0in;

        margin-bottom:.0001pt;

        font-size:8.0pt;

        font-family:"Tahoma","sans-serif";}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

span.BalloonTextChar

        {mso-style-name:"Balloon Text Char";

        mso-style-priority:99;

        mso-style-link:"Balloon Text";

        font-family:"Tahoma","sans-serif";}

.MsoChpDefault

        {mso-style-type:export-only;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

      <div class="WordSection1">

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Thanks

            Scott,<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">As

            far as I understand now the Chapter 22. Security

            Vulnerabilities of Keycloak documentation talks about the

            security of authentication workflow. I believe it will be

            nice if you added clear explanation of what security the

            adapters provide and don’t provide after authentication.<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Thanks<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Ilia<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">

            Scott Rossillo [<a class="moz-txt-link-freetext" href="mailto:srossillo@smartling.com">mailto:srossillo@smartling.com</a>]

            <br>

            <b>Sent:</b> Saturday, February 20, 2016 10:29 AM<br>

            <b>To:</b> Baskin, Ilia<br>

            <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>

            <b>Subject:</b> Re: [keycloak-user] Is it CSRF

            vulnerability?<o:p></o:p></span></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <div>

          <p class="MsoNormal">Are you using the Tomcat adapter? If so

            you have to configure Tomcats' CSRF filter.

            <br>

            <br>

            Once you've authenticated with an SSO server like Keycloak,

            you still have to use platform specific CSRF

            <br>

            <br>

            <a moz-do-not-send="true"

href="https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter">https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter</a><o:p></o:p></p>

        </div>

        <p class="MsoNormal"><o:p> </o:p></p>

        <div>

          <div>

            <p class="MsoNormal">On Fri, Feb 19, 2016 at 6:19 PM Baskin,

              Ilia &lt;<a moz-do-not-send="true"

                href="mailto:ibaskine@microstrategy.com" target="_blank">ibaskine@microstrategy.com</a>&gt;

              wrote:<o:p></o:p></p>

          </div>

          <blockquote style="border:none;border-left:solid #CCCCCC

            1.0pt;padding:0in 0in 0in

            6.0pt;margin-left:4.8pt;margin-right:0in">

            <div>

              <div>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Scott,</span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"> </span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I

                    know that, but this is exactly how CSRF works. There

                    are several simple ways to defend against CSRF and I

                    am surprised that Keycloak, a security application,

                    doesn’t utilize any.</span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"> </span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Thanks.</span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Ilia</span><o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"> </span><o:p></o:p></p>

                <div>

                  <div style="border:none;border-top:solid #B5C4DF

                    1.0pt;padding:3.0pt 0in 0in 0in">

                    <p class="MsoNormal"

                      style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">

                        Scott Rossillo [mailto:<a moz-do-not-send="true"

                          href="mailto:srossillo@smartling.com"

                          target="_blank">srossillo@smartling.com</a>]

                        <br>

                        <b>Sent:</b> Friday, February 19, 2016 6:15 PM<br>

                        <b>To:</b> Baskin, Ilia<br>

                        <b>Cc:</b> <a moz-do-not-send="true"

                          href="mailto:keycloak-user@lists.jboss.org"

                          target="_blank">keycloak-user@lists.jboss.org</a><br>

                        <b>Subject:</b> Re: [keycloak-user] Is it CSRF

                        vulnerability?</span><o:p></o:p></p>

                  </div>

                </div>

              </div>

            </div>

            <div>

              <div>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                <p class="MsoNormal"

                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Once

                  you’ve authenticated with Keycloak, your application

                  has an session id provided by Tomcat. This is why your

                  requests are succeeding. If you examine your XHR

                  requests, I’d assume the session id cookie is being

                  passed to the server.<o:p></o:p></p>

                <div>

                  <p class="MsoNormal"

                    style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                </div>

                <div>

                  <div>

                    <p class="MsoNormal"

                      style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                    <div>

                      <div>

                        <div>

                          <div>

                            <p class="MsoNormal"

                              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Scott

                                Rossillo</span><o:p></o:p></p>

                          </div>

                          <div>

                            <p class="MsoNormal"

                              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Smartling

                                | Senior Software Engineer</span><o:p></o:p></p>

                          </div>

                          <div>

                            <p class="MsoNormal"

                              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"><a

                                  moz-do-not-send="true"

                                  href="mailto:srossillo@smartling.com"

                                  target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a></span><o:p></o:p></p>

                          </div>

                        </div>

                      </div>

                      <p class="MsoNormal"

                        style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                      <div>

                        <blockquote

                          style="margin-top:5.0pt;margin-bottom:5.0pt">

                          <div>

                            <p class="MsoNormal"

                              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On

                              Feb 19, 2016, at 6:01 PM, Baskin, Ilia

                              &lt;<a moz-do-not-send="true"

                                href="mailto:ibaskine@microstrategy.com"

                                target="_blank">ibaskine@microstrategy.com</a>&gt;

                              wrote:<o:p></o:p></p>

                          </div>

                          <p class="MsoNormal"

                            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                          <div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Hi,</span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> </span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I

                                  am experimenting with Keycloak to

                                  evaluate its suitability for our

                                  application. Here is one of my

                                  experiments, that got me warried:</span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> </span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I

                                  created a simple page (see attached),

                                  deployed it on Tomcat and registered

                                  it in Keycloak as confidential client.

                                  As you can see the page contains a

                                  button clicking on which executes

                                  simple XHR request. Notice that XHR

                                  request doesn’t contain Authorization

                                  header. On submission of my page URL I

                                  am redirected to Keycloak for

                                  authentication. After authentication I

                                  can submit XHR requests at will.</span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> </span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Now

                                  I copied my page and deployed the copy

                                  on the same Tomcat as a different

                                  totally unsecured application. If I

                                  open this page in another browser tab

                                  and click on XHR button it will go

                                  through without any problem. It looks

                                  to me as a typical CSRF case. Am I

                                  missing something here?</span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> </span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Thanks.</span><o:p></o:p></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Ilia</span><o:p></o:p></p>

                            </div>

                            <p class="MsoNormal"

                              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&lt;index.html&gt;<span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">_______________________________________________<br>

                                keycloak-user mailing list<br>

                              </span><a moz-do-not-send="true"

                                href="mailto:keycloak-user@lists.jboss.org"

                                target="_blank"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:purple">keycloak-user@lists.jboss.org</span></a><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><br>

                              </span><a moz-do-not-send="true"

                                href="https://lists.jboss.org/mailman/listinfo/keycloak-user"

                                target="_blank"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:purple">https://lists.jboss.org/mailman/listinfo/keycloak-user</span></a><o:p></o:p></p>

                          </div>

                        </blockquote>

                      </div>

                      <p class="MsoNormal"

                        style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

                    </div>

                  </div>

                </div>

              </div>

            </div>

          </blockquote>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

keycloak-user mailing list

<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>

<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>

  </body>

</html>