[keycloak-user] Potential Vulnerability on Login-action endpoint
Stian Thorgersen
sthorger at redhat.com
Wed Oct 23 01:40:22 EDT 2019
These are not sensitive, and you should not report potential
vulnerabilities on a public mailing list.
On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy at gmail.com>
wrote:
> Hi,
>
> Web security scanner found that Keycloak Admin console is using GET with
> login-actions endpoint. It points out that several parameters is visible in
> url which can be sensitive. E.g. execution_session_code, client_id.
>
>
>
> Scanner recommends not to use GET for sensitive parameters. Or even better
> not accepting GET parameters for the endpoint at all.
>
>
>
>
>
> Are the parameters for login-actions really sensitive? What are reason
> that this endpoint allows both GET and POST form?
>
>
> Moe Doutaghy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list