[keycloak-dev] denial-of-service (DoS)
Bill Burke
bburke at redhat.com
Tue Feb 17 22:46:29 EST 2015
In summary....
Keycloak is not a firewall. DoS is just not something it should be
dealing with. Mature firewalls allow you to set a limit on the number
of concurrent requests from a IP address.
On 2/17/2015 7:57 PM, Bill Burke wrote:
>
>
> On 2/17/2015 2:54 PM, Michael Gerber wrote:
>> Hi all,
>>
>> It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
>> Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
>>
>> Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
>> Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
>>
>
> Err...one last thing. ClientSession is just a glorified HttpSession.
> We used to create the client session later and pass everything by URL
> parameters. That was when we only supported OIDC. Now that Keycloak
> can support multiple login protocols within the same SSO session we need
> a way to store protocol information in a generic way. We also need to
> remember the state the login is in as there may be multiple actions the
> user has to perform (verify email, update password, register an OTP
> generator, etc...) before they can finally go back to the application.
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list