Beside its core functionality as Identity Provider, Keycloak implements the OIDC Service Provider part of the specification for the _identity brokerage_ feature. In doing so, Keycloak provides dedicated _redirect_uris_ for each configured OIDC IdP: [https://keycloak.local/auth/realms/]{realm}}/broker/\{alias}/endpoint The _redirect_uri_ endpoint does not invalidate "state" values if they are redeemed multiple times. As a result, multiple request to this endpoint including one valid "state" value result in request to the IdPs Token Endpoint being initiated by Keycloak. Jira: https://issues.redhat.com/browse/KEYCLOAK-14483
Acknowledgments: Name: Lauritz Holtmann (@_lauritz_) (Chair for Network and Data Security at Ruhr University Bochum)
RHSSO 7.4 is affected by this.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2021:0968 https://access.redhat.com/errata/RHSA-2021:0968
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2021:0967 https://access.redhat.com/errata/RHSA-2021:0967
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2021:0969 https://access.redhat.com/errata/RHSA-2021:0969
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.6 Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14302