Keycloak JWT Access Token Wrong Organization Claim Assignment Fix

Keycloak Vulnerability Summary: Incorrect Organization Claim Assignment in JWT Access Token Vulnerability Overview Title: Wrong organization claim assignment in JWT access token #37169 Status: Closed Severity: Bug (kind/bug) Affected Versions: release/26.0.10, release/26.1.3, release/26.2.2 Description: When creating a user whose email domain matches the domain of an existing Organization, but the user is not actually assigned to any organization, Keycloak incorrectly includes the claim for that organization in the generated JWT access token. Expected Behavior: If a user is not assigned to any organization, their access token should not contain the claim, even if their email domain matches that of an organization. Actual Behavior: Users not assigned to any organization have their access tokens containing actual organization data. Impact Scope Involves the Organizations feature in Keycloak. Affects clients using Client Scopes and the Organization Membership mapper to generate JWT tokens. May result in unauthorized users being incorrectly identified as members of a specific organization, thereby gaining undesired access permissions. Remediation This issue has been fixed in subsequent versions. According to the commit history at the bottom of the page, the fix involves the following commits: These commits primarily modify the logic to ensure that organization information is only set in the client session when the user re-authenticates and is confirmed to be a mapped organization member. Reproduction Steps (POC) The following reproduction steps, summarized from screenshots, demonstrate the configuration and exploitation process of the vulnerability: 1. Create a Realm and enable Organizations. 2. Set Username to Email. 3. Modify Client Scope: In the client scope settings, set as Default. Navigate to the Mappers settings for the scope. Before (Vulnerable Configuration): Claim JSON Type: Multivalued: Add organization attributes: Add organization id: After (Fixed Configuration): Claim JSON Type: Multivalued: Add organization attributes: Add organization id: 4. Create a Client and enable the aforementioned scope. 5. Create Organizations: Organization , domain Organization , domain 6. Create User: Create user . Key Point: This user is not assigned to any organization (even though their email domain matches organization ). 7. Log in to the application and obtain the token: Log in using the user. Obtain the JWT access token. Exploitation Result (Token Payload): In the unpatched version, the token contains an incorrect organization claim: Evaluation Tool Verification: The page also mentions that Keycloak's built-in Evaluation tool works correctly, suggesting that the issue lies with specific Mapper configurations or token generation logic rather than the fundamental organization determination logic.

Goal Reached Thanks to every supporter — we hit 100%!

Keycloak JWT Access Token Wrong Organization Claim Assignment Fix

More from this source