Too much information exposed by Keycloakify? about keycloakify HOT 4 OPEN

Thanks a lot for your feedback on this.
It's great to have a solution for the Java side of things.
However I think the best approach would be to have a Keycloakify build option that enable to filter out some path.

Like:

vite.config.ts

export default defineConfig({
  plugins: [
    react(), 
    keycloakify({
      kcContextExcludes: [ 
        "client.attributes.*"
      ]
    })
  ],
})

I'll will work on something.

from keycloakify.

Thanks for the quick reply @garronej.

I totally agree that most of the information Keycloak adds to FreeMarker context isn't sensitive in a sense that it can't be exploited directly like secrets and private keys, but exposing realm configuration details and client certificate without a need might still raise a huge red flag for security analysts. So, adding a way to directly control what Keycloakify adds to kcContext would be very useful.

But currently, for anyone else who might be concerned about this and stumbles upon this thread - I managed to find a way to get control over what data is added to the FreeMarker context by replacing the default FreeMarkerLoginFormsProvider implementation with a custom one. It's not straightforward nor pretty, but it does solve the problem. Here is a quick example of how it looks like:

public class ReactFreeMarkerLoginFormsProvider extends FreeMarkerLoginFormsProvider {

    public ReactFreeMarkerLoginFormsProvider(KeycloakSession session) {
        super(session);
    }

    @Override
    protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle,
                                          UriBuilder baseUriBuilder, LoginFormsPages page) {
        if (!theme.getName().startsWith("react-")) {
            // Theme name doesn't start with "react-" - proceed with default implementation to not break default theme
            super.createCommonAttributes(theme, locale, messagesBundle, baseUriBuilder, page);
            return;
        }
        // Remove any unused attributes added by parent implementation before this method is called
        attributes.remove("messagesPerField");
        attributes.remove("scripts");
        attributes.remove("properties");

        if (realm != null) {
            URI baseUri = baseUriBuilder.build();
            attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
            // Any realm related attributes are added here
        }
        if (client != null) {
            // Any client related attributes are added here
        }
    }
}

And to make it work, the default login forms provider needs to be disabled:

kc.sh build --spi-login-freemarker-enabled=false

And Keycloak will automatically find and use the custom FreeMarker forms provider because it's the only one available.

from keycloakify.

Hello @gim-,
This is a legitimate preocupation however Keycloak itself, in principle should not expose any sensitive info to the FreeMarker context.

There is currently no way to controle what's exposed but I can do it.
If there are fields that you think thould be removed you can reach me on Discord and I will remove them asap
https://discord.gg/kYFZG7fQmn

from keycloakify.

Another approach could also be to perform statitical analisis on the theme source files and to only includes in the client side values that are acutally used.
This requires more work though.

from keycloakify.