Open cboitel opened 4 weeks ago
Since metrics do use client_id as label, use of an invalid value can be used to create more and more metrics causing prometheus collectors to fail.
client_id
This has multiple possible side effects:
To be defined but one could:
4 new lines in prometheus exported data which will be forever (for ever)
Ex:
keycloak_login_attempts_created{client_id="wrong-XXXX"...} keycloak_login_attempts_total{client_id="wrong-XXXX"...} keycloak_failed_login_attempts_total{client_id="wrong-XXXX",error="client_not_found",provider="keycloak",realm="users"} keycloak_failed_login_attempts_created{client_id="wrong-XXXX",error="client_not_found",provider="keycloak",realm="users"}
More and more lines returned means:
Based on keycloak docker image 24.0.1-0 with metrics spi 5.0.0
Simply initiate an OIDC/OAUTH2 flow against Keycloak using an unknown client_id which can be different each time.
Description
Since metrics do use
client_id
as label, use of an invalid value can be used to create more and more metrics causing prometheus collectors to fail.This has multiple possible side effects:
Expected Behavior
To be defined but one could:
Actual Behavior
4 new lines in prometheus exported data which will be forever (for ever)
Ex:
More and more lines returned means:
Environment
Based on keycloak docker image 24.0.1-0 with metrics spi 5.0.0
Steps to reproduce
Simply initiate an OIDC/OAUTH2 flow against Keycloak using an unknown client_id which can be different each time.