Source: https://issues.redhat.com/browse/RHSSO-2932

keycloak "client-registration" initial-access-token count limit (set by admin on token creation) can be bypassed when used multiple times in
parallel (race condition).

Requirements:
An initial access token created by the admin

Component affected:
org.keycloak.client.registration

Version affected:

= 23.0.5

Impact: Low (weakness). Considering that it requires administrative access, configuring client registration policies within a realm. In an event of a client abusing of an initial access token causing DDoS, it should be possible to revoke the token, or introduce mitigation mechanisms as rate-limiting.

Steps to reproduce:

1. On the Keycloak realm (UI) create initial-access-token

• Clients -> initial access token -> Create.
• Set a limit for the count (2 for example) -> Save.
• Copy the produced initial-access-token.

2. Use the initial-access-token in a client creation request

• For reference (assuming local proxy is used):

curl  --proxy 127.0.0.1:8080 -i -s -k -X $'POST' \

-H $'Host: keycloak.m2a.local:8443' -H $'Authorization: Bearer
<initial-access-token>' \

-H "Accept: */*" -H "content-type: application/json" --data-binary
$'{\"clientId\":\"client_1000\",\"name\":\"\",\"description\":\"\"}\x0d\x0a\x0d\x0a'
\

$'
https://keycloak.m2a.local:8443/realms/demo-realm/clients-registrations/default
'

3. Make multiple copies of the request with different parameters

• update the clientId (JSON parameter) in each request.
• send the requests in parallel.
• Note: burp suite community can be used for that

4. Inspect created clients

• Inspect the initial access token "Remaining count".