keycloak/keycloak

'view-clients' bypasses 'view-users' restriction via 'client-scoped' endpoints

Open

#48858 opened on May 9, 2026

View on GitHub
 (1 comment) (1 reaction) (0 assignees)Java (34,398 stars) (8,346 forks)batch import
area/admin/fine-grained-permissionshelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

Description

Area

admin/find-grained-permissions

Describe the bug

A user with the permissions to view a client and its sessions can today also see which user is logged in to the application.

Acknowledgement

This was reported by Kelvin Mbogo (@addcontent) to the Keycloak security team. During triage this was considered a hardening.

The view-client permission is already a high-priv role that currently allows access to view the client credentials, so the user might have other means to get to that data already. Also sharing the username and the userId isn't considered an exposure of sensitive data to such a user.

Version

26.6.2

Regression

  • The issue is a regression

Expected behavior

Someone with permissions to view the clients but not users should not be allowed to see which user is logged in. The entries for each session should be there, but the username and userId should not be returned. The Admin UI should show a place holder (like (hidden)).

Actual behavior

They see the username and the userId

How to Reproduce?

Look at the Admin UI and the REST response.

Anything else?

This issue was originally tracked in the private repository. Migrated by @ahus1.

Contributor guide

Tech stack
java
Domain
securitybackendapi
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaREST APIKeycloak authorization
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate the admin REST endpoints for client sessions, likely in `services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java`. The session representation includes `username` and `userId` which should be omitted when the caller lacks `view users` permission. Review the permission evaluation logic and modify the response accordingly. Also update the Admin UI JavaScript to display a placeholder instead of the hidden fields. Check existing tests and add new ones to verify the fix. Refer to the issue comments for any prior analysis.