search

p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
https://phasetwo.io
Other
222 stars 46 forks source link

Leaking information about existing users (user enumeration) when "ext-magic-create-nonexistent-user: false" #86

Closed awoimbee closed 3 weeks ago

awoimbee commented 1 month ago

Just like https://github.com/sventorben/keycloak-home-idp-discovery/issues/251.

When ext-magic-create-nonexistent-user: false, this extension will return Invalid username or email., which is not great in terms of security (owasp). It should instead behave the same way as when it creates a new user.

Screenshot from 2024-08-08 12-27-08

rtufisi commented 1 month ago

On it

rtufisi commented 1 month ago

Hei all. Please check the fix here: https://github.com/p2-inc/keycloak-magic-link/pull/87

xgp commented 1 month ago

@awoimbee Please test with this branch.

awoimbee commented 3 weeks ago

Hi, Trying to build a container from the branch, I'm having issues building the packages

git clone git@github.com:p2-inc/keycloak-magic-link.git
git clone git@github.com:p2-inc/phasetwo-containers.git --depth 1
podman run -it --rm -v .:/work maven:3.9.8-eclipse-temurin-11 bash
cd /work/phasetwo-containers/libs/
mvn package
cd ../../keycloak-magic-link/
mvn clean install
# I wanted to then cp ./io.phasetwo.keycloak-keycloak-magic-link-0.27.jar ../phasetwo-containers/libs/target/container-0.1-SNAPSHOT/

The magic-link build doesn't work:

[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.696 s
[INFO] Finished at: 2024-08-19T07:46:32Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile (default-compile) on project keycloak-magic-link: Fatal error compiling: error: invalid target release: 21 -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile (default-compile) on project keycloak-magic-link: Fatal error compiling
xgp commented 3 weeks ago

You need to build in a container with a JDK at or above version 21.

awoimbee commented 3 weeks ago

Hi, perfect, thanks ! (I used the container image maven:3.9-amazoncorretto-21 to build the extension)

https://github.com/user-attachments/assets/1535930f-e9f8-4ae5-a29f-89e808f4036a