keycloak/keycloak

'view-clients' bypasses 'view-users' restriction via 'client-scoped' endpoints

Open

Aperta il 9 mag 2026

Vedi su GitHub
 (1 commento) (1 reazione) (0 assegnatari)Java (34.398 star) (8346 fork)batch import
area/admin/fine-grained-permissionshelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

Descrizione

Area

admin/find-grained-permissions

Describe the bug

A user with the permissions to view a client and its sessions can today also see which user is logged in to the application.

Acknowledgement

This was reported by Kelvin Mbogo (@addcontent) to the Keycloak security team. During triage this was considered a hardening.

The view-client permission is already a high-priv role that currently allows access to view the client credentials, so the user might have other means to get to that data already. Also sharing the username and the userId isn't considered an exposure of sensitive data to such a user.

Version

26.6.2

Regression

  • The issue is a regression

Expected behavior

Someone with permissions to view the clients but not users should not be allowed to see which user is logged in. The entries for each session should be there, but the username and userId should not be returned. The Admin UI should show a place holder (like (hidden)).

Actual behavior

They see the username and the userId

How to Reproduce?

Look at the Admin UI and the REST response.

Anything else?

This issue was originally tracked in the private repository. Migrated by @ahus1.

Guida contributor

Tech stack
java
Dominio
authorizationbackend
Tipo issue
bug
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
1-2 days
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
active
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
clear
Prerequisiti
JavaGit
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
60
Direzione di ricerca
Ispeziona gli endpoint REST delle sessioni (es. GET /{realm}/clients/{id}/user sessions) e identifica dove vengono restituiti username e userId. Aggiungi controlli di autorizzazione per nascondere questi campi quando il chiamante non ha il ruolo 'view users'. Assicurati che anche l'Admin UI li nasconda restituendo un segnaposto come '(hidden)'.