Skip to content

To harden keycloak (using stricter policy,stricter role provision, removing unwanted authorizations) #209

Description

@Mahesh-Binayak

keycloak-jboss runs jboss/keycloak:9.0.0 (keycloak-jboss/Dockerfile:1) — released ~2020, long end-of-life, WildFly-based (Keycloak moved to Quarkus at v17). Many known CVEs. This is the single biggest risk.
keycloak-artemis bundles Keycloak 16.1.1 on minideb:buster (keycloak-artemis/Dockerfile) — Keycloak 16 is EOL, and Debian 10 "buster" is EOL for standard support. Upgrade to a current supported Keycloak (26.x line) on a maintained base.
Old, vulnerable Python deps in requirements.txt: python-keycloak==0.26.1, requests==2.25.1, urllib3==1.26.5, PyYAML==5.4.1. Several have published CVEs. Pin to current patched versions.

"redirectUris": ['*'] — wildcard redirect URIs on all clients. Classic open-redirect / token-exfiltration vector. Set explicit, per-client allow-lists.
"directAccessGrantsEnabled": True — enables the ROPC (password) grant everywhere. Disable except where truly required.
"authorizationServicesEnabled": True — turns on fine-grained authorization services for every client, expanding attack surface unnecessarily. Enable only where used.
Public client uses "fullScopeAllowed": True — the token gets all realm roles. Restrict client scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions