[keycloak-dev] denial-of-service (DoS)
Bill Burke
bburke at redhat.com
Tue Feb 17 19:57:32 EST 2015
On 2/17/2015 2:54 PM, Michael Gerber wrote:
> Hi all,
>
> It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
> Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
>
> Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
> Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
>
Err...one last thing. ClientSession is just a glorified HttpSession.
We used to create the client session later and pass everything by URL
parameters. That was when we only supported OIDC. Now that Keycloak
can support multiple login protocols within the same SSO session we need
a way to store protocol information in a generic way. We also need to
remember the state the login is in as there may be multiple actions the
user has to perform (verify email, update password, register an OTP
generator, etc...) before they can finally go back to the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list