[keycloak-user] 307 redirect issue + OAuth2/OpenID Connect possible vulnerability
Bill Burke
bburke at redhat.com
Thu Oct 6 15:03:59 EDT 2016
Made a quick fix and it will be in next release.
https://github.com/keycloak/keycloak/pull/3297
On 10/6/16 2:06 PM, Gabriel Lavoie wrote:
> Hi,
> We currently have the following setup:
>
> External service --- SAML --> Keycloak --- OpenID Connect --> External IdP
>
> When a SP-initiated authentication request is being done to Keycloak by
> posting a SAML assertion, Keycloak goes through a set of redirect to
> authenticate the user to the external IdP through OpenID Connect first.
>
> The redirects are currently being done using a 307 temporary redirect HTTP
> code with a Location header. This makes the browser issue a POST request to
> the external IdP with the SAML assertion which is basically could leak
> informations.
>
> While OpenID Connect allow 302, 303 and 307 as the HTTP code, using
> anything else than 303 that would transform the request to a GET request
> seems to be known as an attack vector on the protocol:
> http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerability.html
>
> Is there a way to change the HTTP code that is used by Keycloak to issue
> temporary redirections?
>
> Thanks,
>
> Gabriel
More information about the keycloak-user
mailing list