CVE-2023-0091 Overview
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. The vulnerability is classified as CWE-863 (Incorrect Authorization), indicating a failure to properly enforce authorization checks when validating client tokens.
Critical Impact
Attackers with high privileges can bypass token revocation mechanisms in Keycloak's client credential flow, potentially accessing or modifying sensitive information even after tokens should have been invalidated.
Affected Products
- Red Hat Keycloak
- Red Hat Single Sign-On 7.0
Discovery Timeline
- 2023-01-13 - CVE-2023-0091 published to NVD
- 2025-04-09 - Last updated in NVD database
Technical Details for CVE-2023-0091
Vulnerability Analysis
The vulnerability exists in Keycloak's client credential flow implementation. When a client authenticates using the OAuth 2.0 client credentials grant type, Keycloak fails to properly validate whether the issued tokens have been revoked. This authorization bypass allows previously revoked tokens to remain functional, enabling continued access to protected resources.
The client credentials grant is commonly used for machine-to-machine authentication where no user interaction is involved. In this flow, the client directly authenticates with the authorization server using its credentials to obtain an access token. The failure to check token revocation status means that even after an administrator explicitly revokes a client's tokens, those tokens may still be accepted by the system.
Root Cause
The root cause is an incorrect authorization check (CWE-863) in Keycloak's token validation logic for the client credential flow. The system does not properly query the token revocation status when processing requests authenticated via client credentials, creating a gap in the security model where revocation actions are not enforced.
Attack Vector
The attack requires network access and high-level privileges to exploit. An attacker who possesses a valid client credential and has obtained an access token can continue using that token even after it has been administratively revoked. This allows the attacker to:
- Maintain unauthorized access to protected resources after token revocation
- Potentially access or modify sensitive information that should no longer be accessible
- Evade security controls designed to terminate compromised sessions
The vulnerability affects the confidentiality and integrity of information, though availability is not impacted. The attack is network-based with low complexity, requiring no user interaction.
Detection Methods for CVE-2023-0091
Indicators of Compromise
- Successful API requests using client credentials tokens that have been previously revoked
- Audit logs showing token usage after administrative revocation events
- Anomalous access patterns from service accounts after credential rotation
- Unexpected data access or modifications from machine-to-machine integrations
Detection Strategies
- Monitor Keycloak audit logs for authentication events involving client credential grants
- Implement additional application-level token validation checks against the revocation list
- Review access logs for service accounts that should have been disabled
- Compare token usage timestamps against revocation timestamps in security audit trails
Monitoring Recommendations
- Enable verbose logging for all client credential flow authentications
- Set up alerts for successful authentications following token revocation events
- Monitor API endpoints for access from potentially compromised service accounts
- Implement real-time correlation between revocation actions and subsequent access attempts
How to Mitigate CVE-2023-0091
Immediate Actions Required
- Review the Red Hat CVE-2023-0091 Advisory for patch availability and upgrade instructions
- Audit all service accounts using client credential flows to identify potentially affected integrations
- Rotate credentials for any service accounts where token revocation is critical
- Implement short token lifetimes to reduce the window of exploitation
Patch Information
Red Hat has acknowledged this vulnerability. Organizations should consult the Red Hat CVE-2023-0091 Advisory for detailed patching instructions and updated package versions. Apply the latest security updates for Red Hat Keycloak and Red Hat Single Sign-On 7.0 as they become available.
Workarounds
- Reduce access token lifetimes to minimize the impact of revocation bypass
- Implement token introspection at the resource server level to validate tokens against the authorization server
- Use refresh token rotation to force re-authentication more frequently
- Consider implementing additional authorization checks at the application layer
# Configuration example - Reduce token lifespan in Keycloak realm settings
# Access Admin Console > Realm Settings > Tokens
# Set shorter values for:
# - Access Token Lifespan: 5 minutes (reduced from default)
# - Client Session Idle: 30 minutes
# - Client Session Max: 1 hour
# Enable token introspection logging
/opt/keycloak/bin/kcadm.sh update events/config \
-r your-realm \
-s eventsEnabled=true \
-s eventsListeners='["jboss-logging"]' \
-s enabledEventTypes='["CLIENT_LOGIN","TOKEN_EXCHANGE","INTROSPECT_TOKEN"]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
