Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Issuer 45649: patch CVE-2026-0707. Add validation on Authorization Header with Bearer #45787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mposolda merged 1 commit into from
Feb 10, 2026
Merged

Issuer 45649: patch CVE-2026-0707. Add validation on Authorization Header with Bearer #45787

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions services/src/main/java/org/keycloak/services/managers/AppAuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package org.keycloak.services.managers;

import java.util.List;
import java.util.regex.Pattern;

import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.core.HttpHeaders;
Expand All @@ -43,8 +42,6 @@ public class AppAuthManager extends AuthenticationManager {

public static final String BEARER = "Bearer";

private static final Pattern WHITESPACES = Pattern.compile("\\s+");

@Override
public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm) {
AuthResult authResult = super.authenticateIdentityCookie(session, realm);
Expand All @@ -66,26 +63,28 @@ private static AuthHeader extractTokenStringFromAuthHeader(String authHeader) {
return null;
}

String[] split = WHITESPACES.split(authHeader.trim());
if (split.length != 2){
int indexOfSpace = authHeader.indexOf(' ');

if (indexOfSpace <= 0) {
return null;
}

String typeString = split[0];
String typeString = authHeader.substring(0, indexOfSpace);
String tokenString = authHeader.substring(indexOfSpace + 1);

boolean isBearerHeader = typeString.equalsIgnoreCase(BEARER);
if (!Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
if (!typeString.equalsIgnoreCase(BEARER)) {
if (!isBearerHeader) {
return null;
}
} else {
// "Bearer" is case-insensitive for historical reasons. "DPoP" is case-sensitive to follow the spec.
if (!typeString.equalsIgnoreCase(BEARER) && !typeString.equals(TokenUtil.TOKEN_TYPE_DPOP)){
if (!isBearerHeader && !typeString.equals(TokenUtil.TOKEN_TYPE_DPOP)) {
return null;
}
}

String tokenString = split[1];
if (ObjectUtil.isBlank(tokenString)) {
if (ObjectUtil.isBlank(tokenString) || tokenString.contains(" ")) {
Copy link
Contributor

@rmartinc rmartinc Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any difference adding the tokenString.contains(" ") or not adding it?

Copy link
Contributor Author

@ValeriaEpifanova ValeriaEpifanova Feb 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a difference. For example, "Bearer 2SP token" is not blank, so the code would continue processing the token. If next space after first was before token value. Token value will be " token".

Copy link
Contributor

@rmartinc rmartinc Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I suppose token would fail because it's not a valid token for the space at the beginning. But no problem, now we have tests, so we are covered.

Copy link
Contributor Author

@ValeriaEpifanova ValeriaEpifanova Feb 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, and at first I thought the same thing. But the point of the CVE is that, according to the RFC, there must be strictly one space between Bearer and token.
credentials = "Bearer" 1*SP b64token

return null;
}

Expand Down
129 changes: 129 additions & 0 deletions tests/base/src/test/java/org/keycloak/tests/admin/AppAuthManagerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
package org.keycloak.tests.admin;

import java.io.IOException;

import jakarta.ws.rs.core.Response;

import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
import org.keycloak.testframework.annotations.InjectHttpClient;
import org.keycloak.testframework.annotations.InjectKeycloakUrls;
import org.keycloak.testframework.annotations.InjectRealm;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
import org.keycloak.testframework.oauth.OAuthClient;
import org.keycloak.testframework.oauth.annotations.InjectOAuthClient;
import org.keycloak.testframework.realm.ManagedRealm;
import org.keycloak.testframework.realm.RealmConfig;
import org.keycloak.testframework.realm.RealmConfigBuilder;
import org.keycloak.testframework.server.KeycloakUrls;
import org.keycloak.testsuite.util.oauth.AccessTokenResponse;

import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/**
*
* @author rmartinc
*/
@KeycloakIntegrationTest
public class AppAuthManagerTest {

@InjectRealm(config = TestRealmConfig.class)
ManagedRealm realm;

@InjectOAuthClient
OAuthClient oAuthClient;

@InjectKeycloakUrls
KeycloakUrls keycloakUrls;

@InjectHttpClient
CloseableHttpClient client;

@Test
public void testSuccess() throws IOException {
test("Bearer ", true);
}

@Test
public void testFailure_BearerLowerCase() throws IOException {
test("bearer ", true);
}

@Test
public void testFailure_BearerUpperCase() throws IOException {
test("BEARER ", true);
}

@Test
public void testFailure_BearerDiffCase() throws IOException {
test("BeArEr ", true);
}

@Test
public void testFailure_TwoSpaces() throws IOException {
test("Bearer ", false);
}

@Test
public void testFailure_MultiSpaces() throws IOException {
test("Bearer ", false);
}

@Test
public void testFailure_TabSymbol() throws IOException {
test("Bearer\t", false);
}

private void test(String authPrefix, boolean success) throws IOException {
AccessTokenResponse response = accessToken(oAuthClient, Constants.ADMIN_CLI_CLIENT_ID, "secret", "test-admin", "password");
Assertions.assertNotNull(response.getAccessToken());
try (CloseableHttpResponse res = getHttpJsonResponse(whoAmiUrl(), authPrefix, response.getAccessToken())) {
Assertions.assertEquals(
success ? Response.Status.OK.getStatusCode() : Response.Status.UNAUTHORIZED.getStatusCode(),
res.getStatusLine().getStatusCode());
}
oAuthClient.doLogout(response.getRefreshToken());
}

private AccessTokenResponse accessToken(OAuthClient oAuth, String clientId, String clientSecret, String username, String password) {
return oAuth.client(clientId, clientSecret).doPasswordGrantRequest(username, password);
}

private CloseableHttpResponse getHttpJsonResponse(String url, String authPrefix, String accessToken) throws IOException{
HttpGet httpGet = new HttpGet(url);
httpGet.addHeader("Accept", "application/json");
httpGet.addHeader("Authorization", authPrefix + accessToken);
return client.execute(httpGet);
}

private String whoAmiUrl() {
return new StringBuilder()
.append(keycloakUrls.getBaseUrl())
.append("/admin/default/console/whoami")
.toString();
}

private static class TestRealmConfig implements RealmConfig {

@Override
public RealmConfigBuilder configure(RealmConfigBuilder realm) {
realm.internationalizationEnabled(false);
realm.addUser("test-admin")
.password("password")
.name("Test", "Admin")
.email("[email protected]")
.emailVerified(true)
.clientRoles(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN);
realm.addClient(Constants.ADMIN_CLI_CLIENT_ID)
.name(Constants.ADMIN_CLI_CLIENT_ID)
.secret("secret")
.attribute(Constants.SECURITY_ADMIN_CONSOLE_ATTR, "true")
.directAccessGrantsEnabled(true);
return realm;
}
}
}
Loading