[keycloak-user] CSRF token in user management pages
vasleon
vaslion13 at yahoo.gr
Tue May 28 15:28:44 EDT 2019
Dear All,
According to the page here
<https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html>
the only part of Keycloak that really falls into CSRF is the user
account management pages. It mentions that in order to protect from
CSRF, keycloak uses a state cookie.
I imagine that the user account management pages are the ones under the
url = http://localhost:8180/auth/realms/demo/account/, is this correct?
If yes, the cookies i can see available in this page are an
AUTH_SESSION_ID cookie and a KC_RESTART. I do not see a "stateChecker"
value.
I can see these files are related to csrf checking in the code of
keycloak server
* services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
* adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java
* services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java
Can someone who has knowledge over this verify that the user account
management pages is referring to the url provided above and if not
expand on which pages are csrf protected?
Also please verify that indeed the 3 files above are responsible for
csrf chekcing
Thank you
More information about the keycloak-user
mailing list