Realm Master Secret Leaked

rrgg · January 29, 2021, 6:44pm

Hi,

I’m studying the security of Keycloak, and I want to know what security impact the leakage of the Realm Master Secret Leaked could have? If an attacker obtains this key without any other authentication, what he could do to the system?

Thanks

arnaudluti · January 29, 2021, 7:44pm

Hi,

What do you mean by ‘master secret’ ? The admin console password ?
As far i know, the private keys used for SAML or oAUTH are not accessible, at least easily, but if these leak, this could allow attackers from modify the SAML or oAUTH responses and gain any access to your SPs

Arnaud

Topic		Replies	Views
Does Keycloak create and handle user keys? Securing applications authentication	0	263	August 10, 2022
Store realm keys in Vault	2	609	May 16, 2023
Publish Keycloak externally for clients but hide admin console? Configuring the server	2	3133	February 21, 2021
Aes and hmac realm keys	2	3119	December 13, 2019
Security risk in crash dumps? Securing applications	0	109	November 29, 2023

Realm Master Secret Leaked

Related Topics