Keycloak API Keys
Service Name: Keycloak
Service Description: Keycloak is an open-source Identity and Access Management (IAM) solution that provides single sign-on capabilities, identity brokering, and social login for modern applications and services. It offers user federation, strong authentication, user management, fine-grained authorization, and more.
Service Address: https://www.keycloak.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the realm level using network policies, but not directly at the API key level.
Secret Access Scope: Grants programmatic access to Keycloak's Admin REST API, allowing management of realms, users, clients, roles, and other identity-related resources.
Secret Revokement URL: https://www.keycloak.org/docs/latest/server_admin/#_service_accounts6/19/26,3:28PMEntroSecurity
Secret Example: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfMnE4T2dDYVJvU0NYNG5IdE 9NUFZzUXZjN2xGcXZBRmZiOFhhYjBqeG93In0.eyJleHAiOjE2NTY4OTU3MzYsImlhdCI6MTY1N jg5NTQzNiwianRpIjoiNDhjOTg4MmYtNzIwMS00MzQ0LWEzYTItMThmNDkwMGE2NmI2IiwiaXNz IjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY29 1bnQiLCJzdWIiOiJhMDg5MzQyZC02MzVlLTRlNTQtYjEzNy1hYzEyYzYzNTI2MWYiLCJ0eXAiOi JCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYTVjM2U0MmItMDkwZ S00NWJjLWI4YWUtZTM0NmY4YzM0ZmNkIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xl cyI6WyJkZWZhdWx0LXJvbGVzLW1hc3RlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml 6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS 1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZ SI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJhNWMzZTQyYi0wOTBlLTQ1YmMtYjhhZS1lMzQ2Zjhj MzRmY2QiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZ pY2UtYWNjb3VudC1hZG1pbi1jbGkiLCJjbGllbnRJZCI6ImFkbWluLWNsaSIsImNsaWVudEhvc3 QiOiIxMjcuMC4wLjEiLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC1hZG1pbi1jbGlAcGxhY2Vob 2xkZXIub3JnIn0.XYZ123
Suspicious Activity Investigation Instructions:
- Review Keycloak server logs for unusual authentication attempts or administrative actions
- Check for unexpected realm, client, or user modifications
- Monitor for unusual token issuance patterns or high volumes of authentication requests
- Examine IP addresses accessing the Keycloak admin console or API endpoints
- Review event logs for administrative actions performed outside normal business hours
- Check for new client registrations or modifications to existing client configurations
Mitigation Instructions:
- Immediately revoke the compromised service account or client credentials in the Keycloak Admin Console
-
Navigate to the Clients section in the Admin Console and select the affected client
-
Regenerate the client secret for the affected client
- Update the secret in all legitimate applications using the client
- Review and potentially reduce the scope of permissions assigned to the client
- Enable additional security features like client certificate authentication
- Consider implementing shorter token lifetimes and stricter token policies
- Review and update access policies to restrict admin API access to specific IP
ranges
- Enable and review audit logging for administrative actions