For POST login-actions/authenticate API, move session_code from query parameter to Header or Request body

When user logs in the POST login-actions/authenticate API is passing session_code as query parameter. This is coming up as a security concern in our application. Is it possible to move
session_code from query parameter to either Header or Request payload?

Following are the details of the request

Request URL

Request Payload

Keycloak - 14.0.0
React - 17.0.2
Java - 11

If you can you please respond to this or at least guide us in the right direction that would be really kind if you.

How is it more of a security concern to have it in the header or request? Both are available to the user.

Thanks for your reply @xgp The security scanning tools used by our Security team is highlighting this as an issue. It keeps complaining about having session_code(token) in query string but not about stuff in payload. It gives following issue detail.

The URL in the request appears to contain a session token within the query string:

It doesn’t complain about details in payload that’s why I requested this change, is it possible to move it to either header or payload?. Any suggestions would be highly appreciated.

No, it’s not possible.

If your security team can articulate why it is a security risk, please post here! Thank you.

Thanks for your reply @xgp . It is concerning to us because it is clear from the API that it is related to login request, having session code in query parameter and credentials in body as PLAIN TEXT will be at security risk of allowing someone to conduct a Man-in-the-middle attack.

I would really appreciate if you answer below queries

  1. What is the life span of the session code(token)? Is it used only once or it is also used for follow-on requests?

  2. Is it possible to send username and password NOT as plain text, by make changes to our Realm or Client settings in Keycloak portal?

It will be really kind of you, If you can guide us on this.

I think the core problem is that you’re assuming the session_code value is a “token”, where “token” is defined as the value that gives the user access. I’m guessing, but the security scanner probably says “let’s mark everything with ‘session’ in the name as a potential leak of an access token”. That is not the case. The session_code in Keycloak really just keeps state for an authentication flow, so it can keep track of where the user is in the flow of screens and challenges.

So, per your questions

  1. The session_code is valid for the duration of an authentication session, which is limited by the “Login timeout” configuration variable. It is just used for one session.
  2. It depends:
    a. This is not the way Keycloak’s defaults work, and sending a POST payload with username and password using HTTPS is not the same as sending them “as plain text”. This is how most browser authentication systems work, and is not considered a security risk.
    b. If it’s something you really think you need to do, there is documentation on how to write a Custom Authenticator. If you do that, and think you have solved an important security problem, please contribute it back here.

Many thanks for your reply @xgp . It is all making sense now. Thanks for confirming that session_code is different from token, which is used for user identification. Yes, our connections are HTTPS that should
encrypt everything, its the browser that is displaying us as PLAIN TEXT. I agree that is how most of the applications work. I really appreciate for taking time out to respond to my queries :slight_smile: