Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (26.5) #46184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahus1 merged 1 commit into from
Feb 10, 2026
Merged

Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (26.5) #46184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions services/src/main/java/org/keycloak/services/managers/AppAuthManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package org.keycloak.services.managers;

import java.util.List;
import java.util.regex.Pattern;

import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.core.HttpHeaders;
Expand All @@ -41,8 +40,6 @@ public class AppAuthManager extends AuthenticationManager {

public static final String BEARER = "Bearer";

private static final Pattern WHITESPACES = Pattern.compile("\\s+");

@Override
public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm) {
AuthResult authResult = super.authenticateIdentityCookie(session, realm);
Expand All @@ -64,26 +61,28 @@ private static AuthHeader extractTokenStringFromAuthHeader(String authHeader) {
return null;
}

String[] split = WHITESPACES.split(authHeader.trim());
if (split.length != 2){
int indexOfSpace = authHeader.indexOf(' ');

if (indexOfSpace <= 0) {
return null;
}

String typeString = split[0];
String typeString = authHeader.substring(0, indexOfSpace);
String tokenString = authHeader.substring(indexOfSpace + 1);

boolean isBearerHeader = typeString.equalsIgnoreCase(BEARER);
if (!Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
if (!typeString.equalsIgnoreCase(BEARER)) {
if (!isBearerHeader) {
return null;
}
} else {
// "Bearer" is case-insensitive for historical reasons. "DPoP" is case-sensitive to follow the spec.
if (!typeString.equalsIgnoreCase(BEARER) && !typeString.equals(TokenUtil.TOKEN_TYPE_DPOP)){
if (!isBearerHeader && !typeString.equals(TokenUtil.TOKEN_TYPE_DPOP)) {
return null;
}
}

String tokenString = split[1];
if (ObjectUtil.isBlank(tokenString)) {
if (ObjectUtil.isBlank(tokenString) || tokenString.contains(" ")) {
return null;
}

Expand Down
129 changes: 129 additions & 0 deletions tests/base/src/test/java/org/keycloak/tests/admin/AppAuthManagerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
package org.keycloak.tests.admin;

import java.io.IOException;

import jakarta.ws.rs.core.Response;

import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
import org.keycloak.testframework.annotations.InjectHttpClient;
import org.keycloak.testframework.annotations.InjectKeycloakUrls;
import org.keycloak.testframework.annotations.InjectRealm;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
import org.keycloak.testframework.oauth.OAuthClient;
import org.keycloak.testframework.oauth.annotations.InjectOAuthClient;
import org.keycloak.testframework.realm.ManagedRealm;
import org.keycloak.testframework.realm.RealmConfig;
import org.keycloak.testframework.realm.RealmConfigBuilder;
import org.keycloak.testframework.server.KeycloakUrls;
import org.keycloak.testsuite.util.oauth.AccessTokenResponse;

import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/**
*
* @author rmartinc
*/
@KeycloakIntegrationTest
public class AppAuthManagerTest {

@InjectRealm(config = TestRealmConfig.class)
ManagedRealm realm;

@InjectOAuthClient
OAuthClient oAuthClient;

@InjectKeycloakUrls
KeycloakUrls keycloakUrls;

@InjectHttpClient
CloseableHttpClient client;

@Test
public void testSuccess() throws IOException {
test("Bearer ", true);
}

@Test
public void testFailure_BearerLowerCase() throws IOException {
test("bearer ", true);
}

@Test
public void testFailure_BearerUpperCase() throws IOException {
test("BEARER ", true);
}

@Test
public void testFailure_BearerDiffCase() throws IOException {
test("BeArEr ", true);
}

@Test
public void testFailure_TwoSpaces() throws IOException {
test("Bearer ", false);
}

@Test
public void testFailure_MultiSpaces() throws IOException {
test("Bearer ", false);
}

@Test
public void testFailure_TabSymbol() throws IOException {
test("Bearer\t", false);
}

private void test(String authPrefix, boolean success) throws IOException {
AccessTokenResponse response = accessToken(oAuthClient, Constants.ADMIN_CLI_CLIENT_ID, "secret", "test-admin", "password");
Assertions.assertNotNull(response.getAccessToken());
try (CloseableHttpResponse res = getHttpJsonResponse(whoAmiUrl(), authPrefix, response.getAccessToken())) {
Assertions.assertEquals(
success ? Response.Status.OK.getStatusCode() : Response.Status.UNAUTHORIZED.getStatusCode(),
res.getStatusLine().getStatusCode());
}
oAuthClient.doLogout(response.getRefreshToken());
}

private AccessTokenResponse accessToken(OAuthClient oAuth, String clientId, String clientSecret, String username, String password) {
return oAuth.client(clientId, clientSecret).doPasswordGrantRequest(username, password);
}

private CloseableHttpResponse getHttpJsonResponse(String url, String authPrefix, String accessToken) throws IOException{
HttpGet httpGet = new HttpGet(url);
httpGet.addHeader("Accept", "application/json");
httpGet.addHeader("Authorization", authPrefix + accessToken);
return client.execute(httpGet);
}

private String whoAmiUrl() {
return new StringBuilder()
.append(keycloakUrls.getBaseUrl())
.append("/admin/default/console/whoami")
.toString();
}

private static class TestRealmConfig implements RealmConfig {

@Override
public RealmConfigBuilder configure(RealmConfigBuilder realm) {
realm.internationalizationEnabled(false);
realm.addUser("test-admin")
.password("password")
.name("Test", "Admin")
.email("[email protected]")
.emailVerified(true)
.clientRoles(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN);
realm.addClient(Constants.ADMIN_CLI_CLIENT_ID)
.name(Constants.ADMIN_CLI_CLIENT_ID)
.secret("secret")
.attribute(Constants.SECURITY_ADMIN_CONSOLE_ATTR, "true")
.directAccessGrantsEnabled(true);
return realm;
}
}
}
Loading