libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Prevent security flaw using passwordless authentication

Browse source 
If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.
This commit is contained in:
Florian Ritterhoff 2021-06-12 18:30:27 +02:00 committed by Bruno Oliveira da Silva
parent b4536a394a
commit 65480cb5a1
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnPasswordlessAuthenticatorFactory.java
View file

@ -53,4 +53,10 @@ public class WebAuthnPasswordlessAuthenticatorFactory extends WebAuthnAuthentica
public String getId() { public String getId() {
return PROVIDER_ID; return PROVIDER_ID;
} }
@Override
public boolean isUserSetupAllowed() {
return false;
}
} }