Source: https://issues.redhat.com/browse/RHSSO-2890

Requests to identity providers have no response size limitation. Receiving a large HTTP response body leads to resource exhaustion and Keycloak crashes. For an exploit, a request must be triggered against a HTTP server under the control of an attacker, which sends a large HTTP response body.

Requirements to exploit:
Administrator rights, or a foreign IDP is controlled by another party

Component affected:
org.keycloak.broker

Version affected:

=23.0.4

Impact: Low (Weakness). Considering that it requires administrative
access, or a malicious IDP controlled by another party, it should be
possible to mitigate the issue by blocking anomalously large responses, or
introducing a rate limiting in front of the Keycloak server.

Steps to reproduce:

1. Create and start a TCP server, which sends an infinite HTTP chunked
   stream (see attached reproducer).

2. Setup two realms, one as a identity provider for the other ("Keycloak OpenID Connect"). Both client and IDP contain valid configuration, except "User Info URL" of the IDP configuration, which is set to the Python server URL. The realm, which acts as IDP should contain an example user.

3. Login as example user via IDP.

Keycloak crashes with:
keycloak-1 | Terminating due to java.lang.OutOfMemoryError: Java heap space
keycloak-1 exited with code 3