window.kcContext expose the user credentials (username+password) in case of authentication failure.

[elloumiii]

How to reproduce?

1. Clone the keycloakify-starter
2. Build the project
3. Copy the JAR file into the providers directory of Keycloak
4. Assign the theme to 1 Keycloak client (login)
5. Try to authenticate with a wrong username/password credentials
6. On the console: window.kccontext

The output includes a login object with a username and password attributes which are not necessary for this page (The user will re type the username and password again)

Also I am not sure why the content from window.kccontext is different from the one that exist on the page (by checking the page source code, the one in the source code does not includes the username and password, just an empty login object)

Thanks!!

[garronej]

Hello @elloumiii,

By default Keycloakify put the full freemarker context into kcContext. See source. This is why you don't find anything when you search "password" in the code.

I can filter out kcContext.login.password sure, however I don't think this represent a security vunerability. Keycloak just send back the the credentials that the user just entered.
A theme could display a message like "You've juste entered the default password that was provided to by the sys admin, you changed it since". I don't know.

I'm also working on a configuration option that will enable to filter out the things from the kcContext.

Since having something named "password" in the kcContext might be a red flag for some user I'm going to filter it out.

[garronej]

Done

https://github.com/keycloakify/keycloakify/commit/5bb22fc3457188772ae87464711d4f3adbaf0c8e

Thanks for reporting