Misconfigured Reset Credentials Flow allows immediate passwordless access
#40.744 aperta il 26 giu 2025
Metriche repository
- Star
- (34.398 star)
- Metriche merge PR
- (Merge medio 6g 19h) (384 PR mergiate in 30 g)
Descrizione
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
Under circumstances detailed in the How to Reproduce? section, a user can gain access to protected resources without providing any proof about their identity, while executing a misconfigured Reset Credentials flow.
The reset-credentials-choose-user provider's action method associates the user model identified by the entered username or e-mail address to the context (via the AuthenticationFlowContext.setUser(...) method) soon as it realizes the user exists and is enabled.
If the Choose User execution is the only required step in the flow (by misconfiguration), the user is immediately authenticated.
While this is perfectly correct in the Browser flow (you only need to pass required steps), in my opinion, steps in the Reset Credentials flow may require extra coordination.
In my customization, I worked around this situation propagating the chosen user by means of an auth note, loading the user model from the session's UserProvider when needed and postponing the association to the context until the user proved their identity (by clicking the received link or, in my case, by entering the received OTP). Identity check and user association are performed in the second step (a customization of the reset-credential-email provider). In case of misconfiguration, this second step will never be executed and no association will be performed, causing the flow to end with no authenticated user (which may be rough, but better than getting logged in).
Version
23.0.7
Regression
- The issue is a regression
Expected behavior
Everithing except being logged in.
Actual behavior
User is logged in.
How to Reproduce?
- Download the latest version of Keycloak (currently, 26.2.5).
- Start up the server (in either development or production mode).
- Set up an initial user, if necessary (e.g.
admin), and log in to the Administration Console. - In the
Logintab of theRealm settingspage, turn theForgot passwordswitch on in theLogin screen customizationsection. - On the
Authenticationpage, duplicate thereset credentialsflow (the new name is irrelevant). - On the duplicated flow page, remove the
Send Reset EmailandReset Passwordexecutions. - On the same page, bind this new flow to the
Reset credentials flow. - Log out of the Administration Console.
- Click the
Forgot password?link on the login screen. - Type in a username (e.g.
admin) and click theSubmitbutton. - Enjoy your authenticated session.
Anything else?
No response