[keycloak-dev] denial-of-service (DoS)

Tuesday, 17 February 2015

Hi all,

It’s very easy to produce an out of memory. Just make thousand of requests to the login
page with a huge state parameter. 
Keycloak allocates a new ClientSessionEntity for each request and stores it with the given
state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).

Do you think it is necessary to create a new ClientSessionEntity before the user is
authenticated?
Wouldn’t it be possible to pass all necessary information via URL parameters? Create a
LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to
the url as parameter.

Best
Michael

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[keycloak-dev] denial-of-service (DoS)