Keycloak is a popular open-source identity and access management solution. It’s used by many organizations to secure applications with Single Sign-On (SSO), manage users, and control access. However, even the best security tools aren't immune to vulnerabilities. In late 2023, a dangerous vulnerability called CVE-2023-6291 was found in Keycloak’s redirect URI validation logic. This issue opens the door for attackers to bypass security checks and potentially steal access tokens, leading to the impersonation of other users and leaked sensitive data.
In this post, we'll break down what CVE-2023-6291 is, show how attackers can exploit it with simple code examples, and provide references for further reading. We'll also discuss how to defend against this kind of vulnerability.
What is CVE-2023-6291?
The CVE-2023-6291 vulnerability lies in the way Keycloak handles the redirect_uri parameter after a user logs in. The redirect_uri is supposed to ensure that, after authenticating, the user is only sent to pre-approved endpoints (like your own app). But, due to a flaw, attackers can trick Keycloak into accepting malicious redirect URIs, even if those hosts aren’t trusted.
If the attacker succeeds, they can intercept authentication tokens and impersonate legitimate users—a classic OAuth2 "redirect abuse" attack.
Attacker captures the access token and uses it to impersonate the user.
All this happens because Keycloak failed to strictly check if the redirect_uri matched exactly with an allowed host.
Code Example: Exploiting the Flaw
Suppose your Keycloak is configured to allow only redirects to https://secure.example.com/callback.
How it Should Work (Safe Scenario):
GET /auth/realms/demo/protocol/openid-connect/auth?
client_id=myapp
&redirect_uri=https://secure.example.com/callback
&response_type=code
Due to the bug, an attacker can send a tricky redirect_uri with a legal-looking hostname
GET /auth/realms/demo/protocol/openid-connect/auth?
client_id=myapp
&redirect_uri=https://secure.example.com.attacker.com/callback
&response_type=code
# or this sneaky trick
&redirect_uri=https://secure.example.com%2F%2E%2E.attacker.com/callback
Keycloak mistakenly considers https://secure.example.com.attacker.com/callback as permitted because, during validation, it doesn't enforce a strict hostname match but rather does a loose string comparison.
Attacker registers a malicious domain, say secure.example.com.attacker.com.
2. Attacker tricks the victim into clicking a phishing OAuth login link using the vulnerable redirect_uri.
3. Victim logs in at Keycloak; Keycloak sends the access token or code to the attacker-controlled endpoint.
4. Attacker captures the code/token when the victim’s browser is redirected to secure.example.com.attacker.com/callback?code=XYZ....
5. Attacker redeems the code/token at Keycloak to impersonate the victim.
Result: The attacker has full access as if they were the victim!
Keycloak’s Fix and Upgrade Path
The Keycloak team quickly patched this issue. They now use strict URL parsing and matching, ensuring the redirect_uri host matches exactly and isn’t just a prefix. Upgrading to Keycloak versions 22..8, 23..3, 24..1, or later will fix the flaw.
References and Further Reading
- NVD: CVE-2023-6291
- Keycloak Security Advisory (GHSA-gq2v-wgc3-pj9w)
- Keycloak Issue Tracker: KC-10218 *(not specifically this CVE, but relevant for Keycloak OAuth issues)*
How Can You Protect Your Application?
1. Upgrade Keycloak
Make sure you’re running one of the fixed versions: 22..8, 23..3, 24..1, or above.
2. Strict URI Checking
Do not use wildcards or subdomain wildcards in allowed redirect URIs. Always specify the full URL (scheme, host, path).
3. Regular Security Reviews
Periodically review OAuth2 settings and your identity provider configurations for any overly broad permissions.
4. Monitor for Sunken Tokens
Track token usage and set short expiration times wherever possible so that even if an access token is leaked, it soon becomes useless.
5. Educate Users Against Phishing
Many OAuth-based attacks rely on phishing. User training is critical.
Wrap Up
CVE-2023-6291 shows how tiny oversights in security checks can lead to big problems. If you use Keycloak, the best thing you can do is upgrade right away and verify your OAuth2 settings. A few minutes of precaution can save from potentially huge headaches down the road.
*Stay safe, keep your identity solutions up to date, and always validate those URIs!*
Timeline
Published on: 01/26/2024 15:15:08 UTC
Last modified on: 02/04/2024 20:15:46 UTC