Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2804

Authenticator config reveals admin password in Firefox

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 1.9.1.Final
    • 1.9.2.Final
    • Authentication
    • None
    • Hide

      Create a custom Authenticator and AuthenticatorFactory implementation with a ProviderConfigProperty as follows:

      static

      { ProviderConfigProperty property; property = new ProviderConfigProperty(); property.setName(BiomorfAuthenticator.AUTH_SERVICE_URI_KEY); property.setLabel("Upstream Authentication Service URI"); property.setType(ProviderConfigProperty.STRING_TYPE); property.setHelpText("URI of the upstream authentication service."); configProperties.add(property); }

      Deploy the provider jar to the providers/ subdirectory of the Wildfly installation. Start the server and log in as the admin user. When Firefox prompts to save the credentials, save them.

      Click the "Authentication" link in the left navigation, and create a new generic flow in the "Flows" tab. Add an execution using the new provider and Save. Click on the "Actions" dropdown link next to the provider in the flow, and choose "Config." The admin user's password will be visible in the text box for the Upstream Authentication Service URI.

      Show
      Create a custom Authenticator and AuthenticatorFactory implementation with a ProviderConfigProperty as follows: static { ProviderConfigProperty property; property = new ProviderConfigProperty(); property.setName(BiomorfAuthenticator.AUTH_SERVICE_URI_KEY); property.setLabel("Upstream Authentication Service URI"); property.setType(ProviderConfigProperty.STRING_TYPE); property.setHelpText("URI of the upstream authentication service."); configProperties.add(property); } Deploy the provider jar to the providers/ subdirectory of the Wildfly installation. Start the server and log in as the admin user. When Firefox prompts to save the credentials, save them. Click the "Authentication" link in the left navigation, and create a new generic flow in the "Flows" tab. Add an execution using the new provider and Save. Click on the "Actions" dropdown link next to the provider in the flow, and choose "Config." The admin user's password will be visible in the text box for the Upstream Authentication Service URI.

    Description

      When using a custom authenticator implementing the Authenticator SPI and allowing configuration, a property of type ProviderConfigProperty.STRING_TYPE is populated with the admin user's password if the admin user has asked Firefox to remember the user's password on the login screen. If the admin user does not ask Firefox to store their Keycloak login credentials, the provider configuration field is not populated with the password.

      It's not clear why Firefox does this, since the html of the password field on the login page is

      <input id="password" class="form-control" name="password" autocomplete="off" type="password">

      while the html of the config field is controlled by Angular and is

      <input class="form-control ng-valid ng-dirty ng-touched" data-ng-model="config[ option.name ]" type="text">

      however, the html of the enclosing div of the config field does contain Password, and the following div hides a password field, which may be the problem:

      <div class="col-sm-6" data-ng-hide="option.type == 'boolean' || option.type == 'List' || option.type == 'Role' || option.type == 'ClientList' || option.type == 'Password'">
      <input class="form-control ng-valid ng-dirty ng-touched" type="text" data-ng-model="config[ option.name ]">
      </div>
      <!-- The following div is hidden -->
      <div class="col-sm-6 ng-hide" data-ng-show="option.type == 'Password'">
      <input class="form-control ng-untouched ng-valid ng-dirty ng-valid-parse" type="password" data-ng-model="config[ option.name ]">
      </div>

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              pblair_jira Paul Blair (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: