| Environment: |
We if URL_METRICS are having a enabled, all urls are recorded. this leads to really high cardinality of tags for the prometheus metrics "keycloak_request_duration_bucket" because the 404 resources are logged with the url part if an attacker tries random non existent urls .
Some tag examples:
{noformat}
resource="realms,auth/realms/myrealm/administrador"
resource="realms,auth/realms/myrealm/administrat"
resource="realms,auth/realms/myrealm/adminpro"
resource="realms,auth/realms/myrealm/admins"
....
{noformat}
Ideally the *resource* should be written only as "URI_NOT_FOUND" (like java spring does) or other constant value by checking the statuscode and rewriting the uri for 404 . |
