Replies: 2 comments 1 reply
-
|
The security policy for reporting a suspected vulnerability is indicated at https://www.keycloak.org/security.html. That said you can find more information at https://keycloak.discourse.group/t/for-post-login-actions-authenticate-api-move-session-code-from-query-parameter-to-header-or-request-body/11120. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I just stumbled upon this issue from our VAPT auditor and they are not ready to accept the fact that it is not an vulnerability. Is there a keycloak official documentation where it is explained about the session_code parameter in detail. I know and I have seen the code but I donot want to give auditor a walk through of the source code, a documentation would help me to close the issue with the auditor. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Vikash, Have you found the keycloak official documentation that explained it? best regard. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello!
I am using Keycloak for login in my company and we had a vulnerability reported saying that exposing the session_code in the URL when performing login is not secure.
I have been searching for this and can't reach any conclusion. But seems odd to me that no issue is created in the GitHub repository addressing this.
Could someone enlighten me, please? Tyvm
Beta Was this translation helpful? Give feedback.
All reactions