Scott,
I
know that, but this is exactly how CSRF works. There are
several simple ways to defend against CSRF and I am
surprised that Keycloak, a security application, doesn’t
utilize any.
Thanks.
Ilia
Once you’ve authenticated with Keycloak,
your application has an session id provided by Tomcat. This is
why your requests are succeeding. If you examine your XHR
requests, I’d assume the session id cookie is being passed to
the server.
Smartling
| Senior Software Engineer
I
am experimenting with Keycloak to evaluate its
suitability for our application. Here is one
of my experiments, that got me warried:
I
created a simple page (see attached), deployed
it on Tomcat and registered it in Keycloak as
confidential client. As you can see the page
contains a button clicking on which executes
simple XHR request. Notice that XHR request
doesn’t contain Authorization header. On
submission of my page URL I am redirected to
Keycloak for authentication. After
authentication I can submit XHR requests at
will.
Now
I copied my page and deployed the copy on the
same Tomcat as a different totally unsecured
application. If I open this page in another
browser tab and click on XHR button it will go
through without any problem. It looks to me as
a typical CSRF case. Am I missing something
here?
<index.html>_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user