Original reporter

@atexela

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

We use Keycloak 18.0.2 as our Org IdP. Its been an year of happy use.
However, recently our security team has reported an IDOR defect in security-admin-console (admin UI OIDC client). Please read about the details in "Actual Behavior" and "How to Reproduce" sections

Version

18.0.2

Expected behavior

Please read this after reading "Actual Behavior" that was observed...
One should not be able to see other people's information using stolen tokens
Our suggestion is to convert this client (security-admin-console) to a "confidential" OIDC client and don't keep the token info on the client. All tokens should be strictly on the server side.

Actual behavior

Our security team's burp-Suite reported that when anyone logs in to admin console, there is a "whoami" URL that gets called (among many other URLs) as the screen load sequence.. this URL shows the user's token and if you replace it with anyone else's token, you could easily get to see that user's information on whoami. Now, there is no page associated with this URL but hacker's spiders could easily detect these weaknesses and use it to their advantage (he could use a stolen token of a higher privilege and hack in).

How to Reproduce?

Please see the reported defect writeup and images from our security team

Anything else?

No response