sschnabe
commented
1 month ago Ignoring them may hide the fact that the system is under attack. I would collect the unknown client_id in UNKNOWN as you proposed! Thank you!
Open xgp opened 1 month ago
sschnabe
commented
1 month ago Ignoring them may hide the fact that the system is under attack. I would collect the unknown client_id in UNKNOWN as you proposed! Thank you!
https://github.com/kokuwaio/keycloak-event-metrics/blob/main/src/main/java/io/kokuwa/keycloak/metrics/event/MetricsEventListener.java#L36
If a Keycloak system is under attack by an adversary that is attempting to find vulnerabilities or execute script injection attacks, they may set the
client_idvalue to arbitrary values. This can pollute the metrics, and cause an explosion of the counters. In order to mitigate this, I suggest adding a configuration that allows unknown clients to either be ignored, or grouped into anUNKNOWNclient_id.Let me know what you think, and I'll PR.