When user logs in the POSTlogin-actions/authenticate API is passing session_code as query parameter. This is coming up as a security concern in our application. Is it possible to move session_code from query parameter to either Header or Request payload?
Thanks for your reply @xgp The security scanning tools used by our Security team is highlighting this as an issue. It keeps complaining about having session_code(token) in query string but not about stuff in payload. It gives following issue detail.
The URL in the request appears to contain a session token within the query string:
It doesnât complain about details in payload thatâs why I requested this change, is it possible to move it to either header or payload?. Any suggestions would be highly appreciated.
Thanks for your reply @xgp . It is concerning to us because it is clear from the API that it is related to login request, having session code in query parameter and credentials in body as PLAIN TEXT will be at security risk of allowing someone to conduct a Man-in-the-middle attack.
I would really appreciate if you answer below queries
What is the life span of the session code(token)? Is it used only once or it is also used for follow-on requests?
Is it possible to send username and password NOT as plain text, by make changes to our Realm or Client settings in Keycloak portal?
It will be really kind of you, If you can guide us on this.
I think the core problem is that youâre assuming the session_code value is a âtokenâ, where âtokenâ is defined as the value that gives the user access. Iâm guessing, but the security scanner probably says âletâs mark everything with âsessionâ in the name as a potential leak of an access tokenâ. That is not the case. The session_code in Keycloak really just keeps state for an authentication flow, so it can keep track of where the user is in the flow of screens and challenges.
So, per your questions
The session_code is valid for the duration of an authentication session, which is limited by the âLogin timeoutâ configuration variable. It is just used for one session.
It depends:
a. This is not the way Keycloakâs defaults work, and sending a POST payload with username and password using HTTPS is not the same as sending them âas plain textâ. This is how most browser authentication systems work, and is not considered a security risk.
b. If itâs something you really think you need to do, there is documentation on how to write a Custom Authenticator. If you do that, and think you have solved an important security problem, please contribute it back here.
Many thanks for your reply @xgp . It is all making sense now. Thanks for confirming that session_code is different from token, which is used for user identification. Yes, our connections are HTTPS that should
encrypt everything, its the browser that is displaying us as PLAIN TEXT. I agree that is how most of the applications work. I really appreciate for taking time out to respond to my queries