[keycloak-user] Potential Vulnerability on Login-action endpoint

[Hossein Doutaghy]

Hi,

Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.



Scanner recommends not to use GET for sensitive parameters.  Or even better
not accepting GET parameters for the endpoint at all.





Are the parameters for login-actions really sensitive?  What are reason
that this endpoint allows both GET and POST form?


Moe Doutaghy