Skip to content

Keycloak API Keys

Service Name: Keycloak

Service Description: Keycloak is an open-source Identity and Access Management (IAM) solution that provides single sign-on capabilities, identity brokering, and social login for modern applications and services. It offers user federation, strong authentication, user management, fine-grained authorization, and more.

Service Address: https://www.keycloak.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the realm level using network policies, but not directly at the API key level.

Secret Access Scope: Grants programmatic access to Keycloak's Admin REST API, allowing management of realms, users, clients, roles, and other identity-related resources.

Secret Revokement URL: https://www.keycloak.org/docs/latest/server_admin/#_service_accounts6/19/26,3:28PMEntroSecurity

Secret Example: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfMnE4T2dDYVJvU0NYNG5IdE 9NUFZzUXZjN2xGcXZBRmZiOFhhYjBqeG93In0.eyJleHAiOjE2NTY4OTU3MzYsImlhdCI6MTY1N jg5NTQzNiwianRpIjoiNDhjOTg4MmYtNzIwMS00MzQ0LWEzYTItMThmNDkwMGE2NmI2IiwiaXNz IjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY29 1bnQiLCJzdWIiOiJhMDg5MzQyZC02MzVlLTRlNTQtYjEzNy1hYzEyYzYzNTI2MWYiLCJ0eXAiOi JCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYTVjM2U0MmItMDkwZ S00NWJjLWI4YWUtZTM0NmY4YzM0ZmNkIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xl cyI6WyJkZWZhdWx0LXJvbGVzLW1hc3RlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml 6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS 1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZ SI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJhNWMzZTQyYi0wOTBlLTQ1YmMtYjhhZS1lMzQ2Zjhj MzRmY2QiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZ pY2UtYWNjb3VudC1hZG1pbi1jbGkiLCJjbGllbnRJZCI6ImFkbWluLWNsaSIsImNsaWVudEhvc3 QiOiIxMjcuMC4wLjEiLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC1hZG1pbi1jbGlAcGxhY2Vob 2xkZXIub3JnIn0.XYZ123

Suspicious Activity Investigation Instructions:

  • Review Keycloak server logs for unusual authentication attempts or administrative actions
  • Check for unexpected realm, client, or user modifications
  • Monitor for unusual token issuance patterns or high volumes of authentication requests
  • Examine IP addresses accessing the Keycloak admin console or API endpoints
  • Review event logs for administrative actions performed outside normal business hours
  • Check for new client registrations or modifications to existing client configurations

Mitigation Instructions:

  • Immediately revoke the compromised service account or client credentials in the Keycloak Admin Console
  • Navigate to the Clients section in the Admin Console and select the affected client

  • Regenerate the client secret for the affected client

  • Update the secret in all legitimate applications using the client
  • Review and potentially reduce the scope of permissions assigned to the client
  • Enable additional security features like client certificate authentication
  • Consider implementing shorter token lifetimes and stricter token policies
  • Review and update access policies to restrict admin API access to specific IP

ranges

  • Enable and review audit logging for administrative actions