keycloak/keycloak

Misconfigured Reset Credentials Flow allows immediate passwordless access

Open

#40,744 建立於 2025年6月26日

在 GitHub 查看
 (2 留言) (1 反應) (0 負責人)Java (8,346 fork)batch import
area/authenticationhelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-authnteam/core-clients

倉庫指標

Star
 (34,398 star)
PR 合併指標
 (平均合併 6天 19小時) (30 天內合併 384 個 PR)

描述

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Under circumstances detailed in the How to Reproduce? section, a user can gain access to protected resources without providing any proof about their identity, while executing a misconfigured Reset Credentials flow.

The reset-credentials-choose-user provider's action method associates the user model identified by the entered username or e-mail address to the context (via the AuthenticationFlowContext.setUser(...) method) soon as it realizes the user exists and is enabled. If the Choose User execution is the only required step in the flow (by misconfiguration), the user is immediately authenticated.

While this is perfectly correct in the Browser flow (you only need to pass required steps), in my opinion, steps in the Reset Credentials flow may require extra coordination.

In my customization, I worked around this situation propagating the chosen user by means of an auth note, loading the user model from the session's UserProvider when needed and postponing the association to the context until the user proved their identity (by clicking the received link or, in my case, by entering the received OTP). Identity check and user association are performed in the second step (a customization of the reset-credential-email provider). In case of misconfiguration, this second step will never be executed and no association will be performed, causing the flow to end with no authenticated user (which may be rough, but better than getting logged in).

Version

23.0.7

Regression

  • The issue is a regression

Expected behavior

Everithing except being logged in.

Actual behavior

User is logged in.

How to Reproduce?

  • Download the latest version of Keycloak (currently, 26.2.5).
  • Start up the server (in either development or production mode).
  • Set up an initial user, if necessary (e.g. admin), and log in to the Administration Console.
  • In the Login tab of the Realm settings page, turn the Forgot password switch on in the Login screen customization section.
  • On the Authentication page, duplicate the reset credentials flow (the new name is irrelevant).
  • On the duplicated flow page, remove the Send Reset Email and Reset Password executions.
  • On the same page, bind this new flow to the Reset credentials flow.
  • Log out of the Administration Console.
  • Click the Forgot password? link on the login screen.
  • Type in a username (e.g. admin) and click the Submit button.
  • Enjoy your authenticated session.

Anything else?

No response

貢獻者指南