Fedora Account System
Red Hat Associate
Red Hat Customer
A flaw was found in Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) implementation. When FGAP v2 is enabled, the role groups endpoints (GET /admin/realms/{realm}/clients/{clientUuid}/roles/{roleName}/groups and GET /admin/realms/{realm}/roles/{roleName}/groups) fail to correctly enforce per-group view permissions. The RoleContainerResource.getGroupsInRole() method only verifies that the caller has permission to view the role itself (auth.roles().requireView(roleContainer)). It then returns representations for all groups mapped to that role without verifying if the caller has permission to view each individual group (auth.groups().canView(group)). This allows a delegated administrator with role view access to enumerate hidden groups and retrieve their metadata, including names, paths, and custom attributes, even if direct access to those groups is correctly denied with a 403 Forbidden error.