Keycloak Realm Secret
Service Name: Keycloak
Service Description: Keycloak is an open-source Identity and Access Management (IAM) solution that provides single sign-on capabilities, identity brokering, and social login for modern applications and services. It offers user federation, strong authentication, user management, fine-grained authorization, and more.
Service Address: https://www.keycloak.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the realm level through network policies and client configurations.
Secret Access Scope: Grants administrative access to a specific realm within a Keycloak instance, allowing management of users, clients, roles, and authentication flows.
Secret Revokement URL: https://www.keycloak.org/docs/latest/server_admin/#_revoke_client_secrets
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJrZXljbG9hay1hZG1pbiIsImlhd CI6MTUxNjIzOTAyMn0.KZ8T9vXBpjA7jZKvADyFZQOYlJ3Hn5i9ggL1HCQmkXY
Suspicious Activity Investigation Instructions:
- Review Keycloak server logs for unusual authentication attempts or administrative actions.
- Check for unexpected client registrations or modifications within the realm.
- Monitor for unusual user role assignments or permission changes.
- Examine event logs for administrative actions performed outside normal business hours.
- Verify if there are any unauthorized realm settings changes.
Mitigation Instructions:
- Log in to the Keycloak Admin Console.
- Navigate to the affected realm.
- Go to Realm Settings > Keys.
- Rotate the realm keys to invalidate existing tokens.
- For client secrets, go to Clients, select the affected client, and regenerate the client secret.
- Review and update any compromised admin account credentials.
- Enable two-factor authentication for administrative accounts if not already enabled.
- Consider implementing shorter token lifetimes and stricter session policies.
- Review and restrict the IP addresses that can access the admin console.