Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: RH-SSO-7.6.3
Affects Version/s: RH-SSO-7.6.1
Component/s: Server
Labels:
- release-candidate
- rh-sso-release-candidate

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
RHSSO 7.6.3
Git Pull Request:
https://gitlab.cee.redhat.com/keycloak/keycloak-prod/-/merge_requests/225
Steps to Reproduce:

Hide

OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application.

By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

Show
OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application. By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

SFDC Cases Links:
SFDC Cases Counter:

Description

Customer is able to reproduce the issue with TOTP even in the latest version of RH SSO 7.6.1.

As suggested in SSOSUP-392

issue is fixed in Keycloak 20 https://github.com/keycloak/keycloak/issues/13607

Can we back port this for RH SSO 7.6.1?

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

OPT_issue_1.png
162 kB
2022/12/15 1:41 PM
OPT_issue_2.png
145 kB
2022/12/15 1:41 PM
OPT_issue_3.png
285 kB
2022/12/15 1:41 PM

Activity

People

Assignee:: Peter Skopek

Reporter:: Santoshi saatmaku

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022/12/15 1:42 PM

Updated:: 2024/04/19 1:55 PM

Resolved:: 2023/04/20 1:07 PM