[keycloak-user] 307 redirect issue + OAuth2/OpenID Connect possible vulnerability

Gabriel Lavoie glavoie at gmail.com
Thu Oct 6 14:06:16 EDT 2016


Hi,
     We currently have the following setup:

External service --- SAML --> Keycloak --- OpenID Connect --> External IdP

When a SP-initiated authentication request is being done to Keycloak by
posting a SAML assertion, Keycloak goes through a set of redirect to
authenticate the user to the external IdP through OpenID Connect first.

The redirects are currently being done using a 307 temporary redirect HTTP
code with a Location header. This makes the browser issue a POST request to
the external IdP with the SAML assertion which is basically could leak
informations.

While OpenID Connect allow 302, 303 and 307 as the HTTP code, using
anything else than 303 that would transform the request to a GET request
seems to be known as an attack vector on the protocol:
http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerability.html

Is there a way to change the HTTP code that is used by Keycloak to issue
temporary redirections?

Thanks,

Gabriel
-- 
Gabriel Lavoie
glavoie at gmail.com


More information about the keycloak-user mailing list