Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-762

[GHI#25220] Authenticated users should not be able to delete their passwords via a DELETE request

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Authenticated users are able to delete their passwords via a DELETE request to a user's credential ID endpoint. This is despite the user's password being marked as non-removable by a boolean. Upon this DELETE request being processed, a user will have their password deleted, preventing this user from logging in.

      == Replication Steps

      1. A user must obtain their credentials ID via intercepting a GET request made to the credential endpoint. The password credential is located under userCredentialMetadatas as id. See
      2. A DELETE request can then be sent to the credentials ID endpoint. This request will remove the password from the user account.
      3. A subsequent request to the credential endpoint will verify that the password credential no longer exists.

              Unassigned Unassigned
              pskopek@redhat.com Peter Skopek
              Keycloak Core Features
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: