8000 When calling the user info endpoint, the DPoP is not bound to the access token · Issue #38333 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
When calling the user info endpoint, the DPoP is not bound to the access token #38333
New issue
New issue
Closed
#38334
Closed
When calling the user info endpoint, the DPoP is not bound to the access token#38333
#38334
Assignees
ahus1
Labels
area/corekind/bugCategorizes a PR related to a bugkind/weaknessIssues identified as a security hardening issue that we can improve into the coderelease/26.2.0team/core-clients
@ahus1

Description

@ahus1
ahus1
opened on Mar 21, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

When using DPoP with the user info endpoint and sending a DPoP proof, Keycloak doesn't check that the proof has the access token hash set, and doesn't verify that the access token contains the hash of the public key.

Due to this, you can use a DPoP access token, and generate any self-generated DPoP, which makes the access token basically not bound to DPoP at all, which renders the protection of DPoP useless.

I found this when reviewing the PR #38134

Version

main

Regression

  • The issue is a regression

Expected behavior

This feature this was originally discussed that the access token should be bound to the DPoP proof: #22215

Actual behavior

You can see this here as we never add the hash to the DPoP proof in our own tests, not even for the user info endpoint:

keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientPoliciesUtil.java

Lines 492 to 496 in 690b5ec

DPoP dpop = new DPoP();
dpop.id(jti);
dpop.setHttpMethod(htm);
dpop.setHttpUri(htu);
dpop.iat(iat);

We then use it here to call the user info endpoint successfully.

keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java

Lines 761 to 763 in a0086ad

String dpopProofRsaEncoded = generateSignedDPoPProof(UUID.randomUUID().toString(), HttpMethod.GET, oauth.getEndpoints().getUserInfo(), (long) Time.currentTime(), Algorithm.PS256, jwsRsaHeader, rsaKeyPair.getPrivate());
UserInfoResponse userInfoResponse = oauth.userInfoRequest(accessTokenResponse.getAccessToken()).dpop(dpopProofRsaEncoded).send();
assertEquals(TEST_USER_NAME, userInfoResponse.getUserInfo().getPreferredUsername());

How to Reproduce?

See test above

Anything else?

This was discussed with the Keycloak Security Team to be a hardening issue.

I'll prepare a PR. I will also refactor the code as we plan use the DPoP validation of access tokens also in other places.

Metadata

Metadata

Assignees

Labels

area/corekind/bugCategorizes a PR related to a bugkind/weaknessIssues identified as a security hardening issue that we can improve into the coderelease/26.2.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0