Keycloak
Keycloak is an open-source identity and access management (IAM) solution developed by Red Hat. It provides a comprehensive platform for managing authentication, authorization, and user management for applications and services. Keycloak is designed to be extensible and adaptable, making it a popular choice for organizations looking to implement Single Sign-On (SSO) and secure their applications with minimal effort.
How Keycloak Works
Keycloak operates as a central authentication server, managing user identities and access controls. It integrates with applications via standard protocols such as OpenID Connect, OAuth 2.0, and SAML 2.0, enabling secure authentication and authorization. Here's a high-level overview of how Keycloak works:
-
Identity Management: Keycloak manages user identities, including user registration, login, logout, and account management. It supports various user authentication methods, including username/password, social logins, and multi-factor authentication (MFA).
-
Single Sign-On (SSO): Keycloak allows users to authenticate once and gain access to multiple applications without needing to log in separately to each one. This reduces the burden on users and improves security by centralizing authentication.
-
Authorization Services: Keycloak provides a fine-grained authorization mechanism, allowing administrators to define and enforce access policies based on roles, groups, or custom attributes. This ensures that only authorized users can access specific resources.
-
Federation and Brokering: Keycloak can integrate with external identity providers (IdPs), such as LDAP, Active Directory, or other SAML/OIDC providers, enabling organizations to use existing user databases for authentication. It can also act as an identity broker, allowing users to authenticate through social providers like Google or Facebook.
-
Admin Console: Keycloak comes with a web-based administration console, which allows administrators to manage realms, users, roles, and client applications. It provides a user-friendly interface for configuring authentication flows, managing credentials, and monitoring sessions.
Detecting if an Application is Using Keycloak
You can detect if an application is using Keycloak through the following methods:
- Inspect HTTP Traffic:
- Look for URLs with paths like
/auth/realms/or/realms/{realm-name}/protocol/openid-connect/auth. - Examine JWT tokens for claims like
isspointing to a Keycloak server. - Check for cookies named
KEYCLOAK_SESSIONor similar.
- Look for URLs with paths like
- Analyze HTML and JavaScript:
- Inspect login pages for forms that post to Keycloak-specific endpoints.
- Look for JavaScript libraries like
keycloak.jsloaded by the application.
- Examine API Requests:
- Watch for OAuth 2.0/OpenID Connect requests to endpoints like
/realms/{realm-name}/protocol/openid-connect/token. - Decode Bearer tokens to see if they contain Keycloak-specific fields.
- Watch for OAuth 2.0/OpenID Connect requests to endpoints like
- Check for Keycloak Endpoints:
- Access the OpenID Connect discovery document at
/.well-known/openid-configuration. - Attempt to access the Keycloak Admin Console at
/auth/admin/.
- Access the OpenID Connect discovery document at
- Review Configuration Files:
- Look for Keycloak-specific libraries in the source code.
- Check environment variables like
KEYCLOAK_REALMorKEYCLOAK_SERVER_URL.
Enumeration
Keycloak works with REALMS. The default realm is master, but organisation can define their own realms. These can be bruteforced. The default url to check is this:
/realms/master/.well-known/openid-configuration
If a realm doesn't exist, e.g.:
/realms/notavalidrealm/.well-known/openid-configuration
It will return a 404. Use Burp intruder to detect the existing realms. Best list to use is found here: https://raw.githubusercontent.com/chrislockard/api_wordlist/master/objects.txt
If you succesfully got access to a realm, you can gain more information about the configuration by visiting the following URL's:
- /realms/REALM/.well-known/openid-configuration
- /realms/REALM/protocol/openid-connect/certs
Hidden self-registration
Realms can be configured to allow user self-registration. This is not an issue itself and is often advertised in the login page:
However, even if the application is hiding the registration link, we can still try to directly access the registration link, which is: /auth/realms/<realm_name>/login-actions/registration?client_id=<same_as_the_login_page>&tab_id=<same_as_the_login_form>