[keycloak-user] Host Header Attack behind Load Balancer

Thursday, 14 June 2018

A Google Load balancer is proxying HTTP request to a Keycloak instance
[container running in Kubernetes].

A penetration test revealed that its possible to inject "X-FORWARDED-HOST"
with a malicious host name, and Keycloak will accept this (login page).

Is there a way to tell Keycloak (3.4) to only access web requests matching
a given host?

Thanks
Hylton Peimer