[keycloak-user] Able To Access Token Without Using Password
Kenyatta Clark
kclark at mbopartners.com
Thu Sep 3 22:08:34 EDT 2015
We were testing mobile access scenarios and discovered that we are able to obtain an access token using an AD user with a blank password. Keycloak works as expected if the password parameter is not sent, password sent is correct or password sent is incorrect; however, when we send a password without a value Keycloak returns an access token. We are using Keycloak 1.4.0.Final. We have confirmed with the issue using two different installations of 1.4.0.Final. We have tested the same scenario with Keycloak 1.3.1.Final and it works as expected.
Kenyatta Clark
Principal Engineer, Systems Development
MBO Partners
t: 703.793.6314
w: www.mbopartners.com<http://www.mbopartners.com/>
[cid:3BC34E4D-47BF-4F18-A628-A8098BE79BE3]
Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster at mbopartners.com<mailto:postmaster at mbopartners.com>and permanently delete the e-mail and files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/e6d03c29/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qrcode[1][4].png
Type: image/png
Size: 10866 bytes
Desc: qrcode[1][4].png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/e6d03c29/attachment-0001.png
More information about the keycloak-user
mailing list