Possibility to get secret in public clients

valeriy.navozenko · April 9, 2021, 3:50pm

Hi, I recently found a problem that allowed me to get secret from public clients.
To do this, I needed to open
http://localhost:8080/auth/realms/master/clients-registrations/default/security-admin-console
where I see a secret field with a value that is in my database.

I did the same actions with other public clients in other realms and I also got their secrets

Since I can easily change the client type from public to private, this can create a security problem. And while I have not seen any warning not to do this in the documentation, I think that this is normal.

In the specification OAuth 2.0 Dynamic Client Registration Management Protocol I found that the secret should only be returned by confidential clients and I think this is correct

Do you think this is a security problem?
Can I hide my secret from Keycloak’s answer?

jangaraj · April 9, 2021, 4:32pm

IMHO it can be vector to get client secret - Keycloak - Security

valeriy.navozenko · April 13, 2021, 9:11am

Thank you, I created a ticket based on your recommendation.
If it really could be a security issue, can we remove this question from the forum?

Topic		Replies	Views
Generate secret for user credential through keycloak admin client Getting advice	0	626	December 2, 2023
Is it safe to use the client secret in a public mobile app? Getting advice	5	2307	March 11, 2024
Client Secret Retrieval via Keycloak Web Interface Securing applications	0	344	March 25, 2021
Changing client access-type from 'public' to 'confidential' breaks CORS? Getting advice	2	2382	May 31, 2020
Using a public client to communicate with a confidential client Getting advice authentication	0	292	January 5, 2023

Possibility to get secret in public clients

Related Topics