Is your feature request related to a problem? Please describe.
Keycloak-radius-plugin manages a separate RADIUS password, which is essential for CHAP/MSCHAPv2. It is a good idea anyway to allow RADIUS access without risk of exposing the primary Keycloak password. This would be especially useful for wifi, where the RADIUS password is stored on the client device and not suitable for TOTP or frequent updates. Also, users may misconfigure certificate validation which makes it easy to steal the password via a rogue access point.

However, there are a couple of practical problems at the moment:

1. As far as I can see, users cannot decide when to set or change their RADIUS password. It has to be triggered by an administrator applying the "Update Radius Password" action to their account, either as a required action on next login, or via a credential reset E-mail.
2. The RADIUS password is not subject to Password Policies, so there is a strong incentive to set a stupidly simple one - or to re-use the main Keycloak password (which leads to risk of account takeover if the RADIUS password is captured).

Describe the solution you'd like
Part 1: add a button to the /account/ page where users can reset their RADIUS password. I think this is needed anyway.

Part 2: I would like to configure the RADIUS password to be set completely at random. This could occur by an administrator action as today (e.g. "Generate Radius Password"). It would be displayed to the user once, and when they click "OK" they'd never see it again.

A suitable strong password would be a sequence of 16 letters, as Google use for their app specific passwords (this has 75.2 bits of entropy), although you might want this to be configurable:

Describe alternatives you've considered
It would be possible to apply Keycloak password policies to RADIUS passwords. However, this still encourages people to try to pick "memorable" passwords instead of a proper strong one.

I also have a problem that I want to disable passwords entirely for Keycloak logins, forcing users to use IDP links instead: and at the moment the only way I can see to do this is to set an impossible password policy like regex .{400}. I don't want that to prevent setting a RADIUS password, so in that case I'd need a separate password policy for RADIUS.

Random passwords are inherently more secure than user-chosen passwords, and uncorrelated to the main Keycloak password (if any).

Additional context
n/a

Hello,

Thanks for integrating radius into keycloak.

I am trying to run radtest -t mschap testuser testuserpassword keycloak-radius-server 1812 secret, I do not get any response from the embedded radius server. However, when I run radtest testuser testuserpassword keycloak-radius-server 1812 secret, the radius server authenticates the testuser properly. The plugin that I have used is mikrotik since according to your description, it supports mschapv2.

Thanks for your help!

I am just wondering if this plugin could work with latest Version 17.0.0
Thx

I've set up this plugin in our Keycloak instance, but I can't figure out which Authentication Flow is being used.

Background is, that our users are required to have an OTP setup, but the OTP is only necessary for the certain flows (mainly the Browser flow). Other flows still allow usage of the OTP but do not require it, since logins with these flows is restricted to certain clients and users.
With this radius plugin, I'm able to log in using the password plus OTP, but am not able to log in using only the password.

Is there a way to tell this plugin to use a separate authentication flow which only requires the password and optionally takes the OTP?

CVE-2020-28168 - Medium Severity Vulnerability

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/axios/package.json

Dependency Hierarchy:

• keycloak-connect-11.0.3.tgz (Root Library)
  • chromedriver-87.0.2.tgz
    • ❌ axios-0.19.2.tgz (Vulnerable Library)

Found in HEAD commit: 41e65dde1e03f0ffb3b2bf3a97cfbaecd6211e78

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Is your feature request related to a problem? Please describe.
I'm trying to integrate the RADIUS functionality with our UniFi setup. It works fine for VPN login, but for WPA2/3 Enterprise, our clients need EAP support. macOS and iOS only support EAP protocols (like PEAP).

Describe the solution you'd like
It would be great if this plugin would support at least LEAP, better would be PEAP.

Describe alternatives you've considered
There aren't many alternatives here. At least I couldn't think of any.

Additional context
None

I probably missed anything but seems the Keycloak-Radius-Server automatically sends out an attribute "Acct-Interim-Interval=60" which almost all of our devices either accept or ignore but one device type rejects authentication if send. Question: is there an easy way to prevent sending this attribute?

Without OTP, Mikrotik logins are working as expected.

As soon as I enable OTP, logins fail from Winbox but the Mikrotik logs show the login as successful and then immediately log out.

I've attached a snip of the relevant RADIUS debug logs on the Mikrotik.

CVE-2021-44906 - High Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: /Examples/OneTimePasswordJSExample/node_modules/minimist/package.json,/Examples/RadiusAuthorizationJSExample/node_modules/minimist/package.json,/Examples/ConditionAccessRequestJSExample/node_modules/minimist/package.json,/Examples/WebAuthnJSExample/node_modules/minimist/package.json,/Examples/OTPPasswordJSExample/node_modules/minimist/package.json,/Examples/LdapOtpExample/node_modules/minimist/package.json,/Examples/RadiusDefaultRealmJSExample/node_modules/minimist/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/minimist/package.json

Dependency Hierarchy:

• express-handlebars-6.0.3.tgz (Root Library)
  • handlebars-4.7.7.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 8c44b2a0c6ccaa9c54f09217700309204f8ac5f4

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with WhiteSource here

CVE-2022-23539 - Medium Severity Vulnerability

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json

Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

Step up your Open Source Security Game with Mend here

I have successfully created the radius as it is authenticating with the local username and password.

after connect to azure active directory i am able to login to the application with azure Username and Password

but when try authenticate my radius client with the same username and password its is not working.

CVE-2022-23529 - High Severity Vulnerability

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json

Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control. This issue has been fixed, please update to version 9.0.0.

Publish Date: 2022-12-21

URL: CVE-2022-23529

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-27h2-hvpr-p74q

Release Date: 2022-12-21

Fix Resolution: jsonwebtoken - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-1214 - High Severity Vulnerability

Vulnerable Library - axios-0.24.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.24.0.tgz

Path to dependency file: /Examples/WebAuthnJSExample/package.json

Path to vulnerable library: /Examples/WebAuthnJSExample/node_modules/axios/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/chromedriver/node_modules/axios/package.json,/Examples/OneTimePasswordJSExample/node_modules/axios/package.json

Dependency Hierarchy:

• keycloak-connect-17.0.1.tgz (Root Library)
  • chromedriver-100.0.0.tgz
    • ❌ axios-0.24.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: axios - v0.26.0

Step up your Open Source Security Game with WhiteSource here

Describe the bug
Proxying to upstream radius server doesn't work

To Reproduce
Steps to reproduce the behavior:

1. Running a local radius server in docker by

docker run --rm --name my-radius -t -p 1812-1813:1812-1813/udp freeradius/freeradius-server -X

2. issue radtest bob test 127.0.0.1 0 testing123 and found the radius server received the login attempt and reject. It shows the radius server is working.
   

3. Running a keycloak radius plugin instance by

sh bin/kc.sh --debug 8190 start-dev --http-port=8090

as per the https://github.com/vzakharchenko/keycloak-radius-plugin/releases v1.4.2-17.0.0 steps
5. Configure the proxy as per the doc: https://github.com/vzakharchenko/keycloak-radius-plugin/tree/master/keycloak-plugins/proxy-radius-plugin
6. When logging into the keycloak instance, no log from radius server. And the logging is success without any issue

Expected behavior

• There should be receiving logs from radius server.
• The logging in should fail as should be not allowed from radius server.

Describe the bug
Start radius server using docker keeps restarting

To Reproduce
Steps to reproduce the behavior:

1. Go to 'documentation'
2. Run docker image following the doc https://github.com/vzakharchenko/keycloak-radius-plugin/blob/master/docker/README.md
3. Check log
4. See error

~/keycloak-radius
⇡6% ➜ docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED          STATUS                        PORTS     NAMES
f528760367f9   vassio/keycloak-radius-plugin   "/opt/radius/scripts…"   12 seconds ago   Restarting (0) 1 second ago             keycloak-radius-plugin

~/keycloak-radius
⇡6% ➜ docker logs f528
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
mkdir: created directory '/opt/keycloak/config/'
Keycloak - Open Source Identity and Access Management

Find more information at: https://www.keycloak.org/docs/latest

Usage:

kc.sh [OPTIONS] [COMMAND]

Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.

Options:

-cf, --config-file <file>
                     Set the path to a configuration file. By default, configuration properties are
                       read from the "keycloak.conf" file in the "conf" directory.
-h, --help           This help message.
-v, --verbose        Print out error details when running this command.
-V, --version        Show version information

Commands:

  build                   Creates a new and optimized server image.
  start                   Start the server.
  start-dev               Start the server in development mode.
  export                  Export data from realms to a file or directory.
  import                  Import data from a directory or a file.
  show-config             Print out the current configuration.
  tools                   Utilities for use and interaction with the server.
    completion            Generate bash/zsh completion script for kc.sh.

Examples:

  Start the server in development mode for local development or testing:

      $ kc.sh start-dev

  Building an optimized server runtime:

      $ kc.sh build <OPTIONS>

  Start the server in production mode:

      $ kc.sh start <OPTIONS>

  Enable auto-completion to bash/zsh:

      $ source <(kc.sh tools completion)

  Please, take a look at the documentation for more details before deploying in
production.

Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
Keycloak - Open Source Identity and Access Management

Find more information at: https://www.keycloak.org/docs/latest

Usage:

kc.sh [OPTIONS] [COMMAND]

Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.

Options:

-cf, --config-file <file>
                     Set the path to a configuration file. By default, configuration properties are
                       read from the "keycloak.conf" file in the "conf" directory.
-h, --help           This help message.
-v, --verbose        Print out error details when running this command.
-V, --version        Show version information

Commands:

  build                   Creates a new and optimized server image.
  start                   Start the server.
  start-dev               Start the server in development mode.
  export                  Export data from realms to a file or directory.
  import                  Import data from a directory or a file.
  show-config             Print out the current configuration.
  tools                   Utilities for use and interaction with the server.
    completion            Generate bash/zsh completion script for kc.sh.

Examples:

  Start the server in development mode for local development or testing:

      $ kc.sh start-dev

  Building an optimized server runtime:

      $ kc.sh build <OPTIONS>

  Start the server in production mode:

      $ kc.sh start <OPTIONS>

  Enable auto-completion to bash/zsh:

      $ source <(kc.sh tools completion)

  Please, take a look at the documentation for more details before deploying in
production.

Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.
{"sharedSecret":"secret","authPort":1812,"accountPort":1813,"useUdpRadius":true,"externalDictionary":"""","radsec":{"privateKey":"/config/private.key","certificate":"/config/public.crt","useRadSec":false},"coa":{"port":3799,"useCoA":false}}
Keycloak - Open Source Identity and Access Management

Find more information at: https://www.keycloak.org/docs/latest

Usage:

kc.sh [OPTIONS] [COMMAND]

Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.sh") to execute from the current folder.

Options:

-cf, --config-file <file>
                     Set the path to a configuration file. By default, configuration properties are
                       read from the "keycloak.conf" file in the "conf" directory.
-h, --help           This help message.
-v, --verbose        Print out error details when running this command.
-V, --version        Show version information

Commands:

  build                   Creates a new and optimized server image.
  start                   Start the server.
  start-dev               Start the server in development mode.
  export                  Export data from realms to a file or directory.
  import                  Import data from a directory or a file.
  show-config             Print out the current configuration.
  tools                   Utilities for use and interaction with the server.
    completion            Generate bash/zsh completion script for kc.sh.

Examples:

  Start the server in development mode for local development or testing:

      $ kc.sh start-dev

  Building an optimized server runtime:

      $ kc.sh build <OPTIONS>

  Start the server in production mode:

      $ kc.sh start <OPTIONS>

  Enable auto-completion to bash/zsh:

      $ source <(kc.sh tools completion)

  Please, take a look at the documentation for more details before deploying in
production.

Use "kc.sh start --help" for the available options when starting the server.
Use "kc.sh <command> --help" for more information about other commands.

Expected behavior
Should not restart

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macOS Monterey

Additional context
Tried on PWD the same issue.

https://www.docker.com/play-with-docker/

Hi,

we have an Active Directory Environment and sync users via LDAP into keycloak. All users have an OTP enrolled and I have a radius client that is using PAP as protocol. I was not able resolve the following issues:

• LDAP users are not able to login with LDAP PW + OTP in general. Is this combination supported?
• How can we inject user attributes into the RADIUS response? I would like to forward a specific group name to the radius client to map firewall permissions. The radius response does not contain any attributes
• Is there any way to restrict radius logins to a specific role/group?

Thanks
Tobias

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/elliptic/package.json

Dependency Hierarchy:

• keycloak-connect-10.0.1.tgz (Root Library)
  • jwk-to-pem-2.0.3.tgz
    • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 95bc7f43a12af6f4636b8768a5ca53fe0cac6b1e

Vulnerability Details

all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Describe the bug
Although log4j functionality is still unused, the log4j lookup is still in the image.
Deploying the latest (1.3.7-16.1.0) immediately lights up the scanners for vulnerable images.
(as .zip get analyzed, only downloading and leaving the image is sufficient to flag a warning).

To Reproduce
Steps to reproduce the behavior:
*Download the image....
*in case .zip is not scanned, deploy the image
Run a scan for jndi_lookup with problems.

Expected behavior
Non-sensitive image, why include unused tools, lean images are to be prefered.

Screenshots
N/A

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A

Additional context
The log4j scanning proabaly is hete to staya while.

Is your feature request related to a problem? Please describe.
A new keycloak has been issued

Describe the solution you'd like
Update your distribution of the combined kit?

Describe alternatives you've considered
N/A

Additional context
Are the delays caused by the situation in your country?

Describe the bug

I tried to add https://github.com/dasniko/keycloak-2fa-sms-authenticator (build with V 17.0.0 keycloak-quarkus) as provider to your build.

bin/kc.sh build
Updating the configuration and installing your custom providers, if any. Please wait.
2022-02-19 15:36:46,867 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: mikrotik-password (com.github.vzakharchenko.radius.password.RadiusCredentialProviderFactory) is implementing the internal SPI credential. This SPI is internal and may change without notice
2022-02-19 15:36:46,930 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius (com.github.vzakharchenko.radius.dm.api.RadiusServiceImpl) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice
2022-02-19 15:36:46,976 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius-protocol (com.github.vzakharchenko.radius.client.RadiusLoginProtocolFactory) is implementing the internal SPI login-protocol. This SPI is internal and may change without notice
2022-02-19 15:36:47,043 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: oidc-radius-password (com.github.vzakharchenko.radius.mappers.RadiusPasswordMapper) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2022-02-19 15:36:47,081 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: radius-disconnect-message-factory (com.github.vzakharchenko.radius.dm.jpa.RadiusLogoutJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
2022-02-19 15:36:47,199 WARN [org.keycloak.services] (build-64) KC-SERVICES0047: sms-authenticator (dasniko.keycloak.authenticator.SmsAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureProviders threw an exception: java.util.ServiceConfigurationError: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:582)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:804)
at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:722)
at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1395)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:456)
at org.keycloak.quarkus.deployment.KeycloakProcessor.configureProviders(KeycloakProcessor.java:254)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at io.quarkus.deployment.ExtensionLoader$2.execute(ExtensionLoader.java:882)
at io.quarkus.builder.BuildContext.run(BuildContext.java:277)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.LinkageError: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:423)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:362)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:388)
at org.tinyradius.server.handler.RequestHandler.(RequestHandler.java:11)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.(AbstractThreadRequestHandler.java:10)
at com.github.vzakharchenko.radius.radius.handlers.AbstractHandler.(AbstractHandler.java:15)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.(AuthHandler.java:30)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:780)
... 17 more

ERROR: Build failure: Build failed due to errors
[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureProviders threw an exception: java.util.ServiceConfigurationError: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:582)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:804)
at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:722)
at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1395)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:456)
at org.keycloak.quarkus.deployment.KeycloakProcessor.configureProviders(KeycloakProcessor.java:254)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at io.quarkus.deployment.ExtensionLoader$2.execute(ExtensionLoader.java:882)
at io.quarkus.builder.BuildContext.run(BuildContext.java:277)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.LinkageError: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:423)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:362)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:388)
at org.tinyradius.server.handler.RequestHandler.(RequestHandler.java:11)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.(AbstractThreadRequestHandler.java:10)
at com.github.vzakharchenko.radius.radius.handlers.AbstractHandler.(AbstractHandler.java:15)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.(AuthHandler.java:30)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:780)
... 17 more

ERROR: com.github.vzakharchenko.radius.providers.IRadiusAuthHandlerProviderFactory: Provider com.github.vzakharchenko.radius.radius.handlers.AuthHandler could not be instantiated
ERROR: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5 of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @35d019a3 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @49cb9cb5, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @1f760b47; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @35d019a3, parent loader 'app')
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

Working Configs:

sms:
bin/kc.sh show-config
Current Mode: none
Runtime Configuration:
kc.cache = ispn (PersistedConfigSource)
kc.config.args = show-config (SysPropConfigSource)
kc.db = mariadb (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-password = ******* (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-url = jdbc:mariadb://localhost/keycloak (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db-url-host = localhost (KcEnvVarConfigSource)
kc.db-username = keycloak (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.db.url.host = localhost (EnvConfigSource)
kc.home.dir = /opt/keycloak/keycloak-17.0.0/bin/../ (SysPropConfigSource)
kc.hostname = nfkeycloak-dev.itxworks.eu (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.http-enabled = false (PropertiesConfigSource[source=jar:file:///opt/keycloak/keycloak-17.0.0/lib/lib/main/org.keycloak.keycloak-quarkus-server-17.0.0.jar!/META-INF/keycloak.conf])
kc.http-relative-path = / (PersistedConfigSource)
kc.https-certificate-file = /opt/keycloak/current/conf/nfkeycloak.itxworks.eu.fullchain.pem (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.https-certificate-key-file = /opt/keycloak/current/conf/nfkeycloak.itxworks.eu.key.pem (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.metrics-enabled = true (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.provider.file.keycloak-2fa-sms-authenticator-1.0.1-SNAPSHOT.jar.last-modified = 1645296593132 (PersistedConfigSource)
kc.proxy = edge (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.quarkus-properties-enabled = false (PersistedConfigSource)
kc.show.config = none (SysPropConfigSource)
kc.spi-sticky-session-encoder-infinispan-should-attach-route = false (PropertiesConfigSource[source=file:/opt/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
kc.version = 17.0.0 (SysPropConfigSource)

Radius:
bin/kc.sh show-config
Current Mode: none
Runtime Configuration:
kc.cache = ispn (PersistedConfigSource)
kc.config.args = show-config (SysPropConfigSource)
kc.db = dev-file (PersistedConfigSource)
kc.db-url-host = localhost (KcEnvVarConfigSource)
kc.db.url.host = localhost (EnvConfigSource)
kc.home.dir = /opt/keycloak/keycloak-radius/bin/../ (SysPropConfigSource)
kc.http-enabled = false (PropertiesConfigSource[source=jar:file:///opt/keycloak/keycloak-radius/lib/lib/main/org.keycloak.keycloak-quarkus-server-17.0.0.jar!/META-INF/keycloak.conf])
kc.http-relative-path = / (PersistedConfigSource)
kc.metrics-enabled = false (PersistedConfigSource)
kc.provider.file.chillispot-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.cisco-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.mikrotik-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.proxy-radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.rad-sec-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.radius-disconnect-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.provider.file.radius-plugin-1.4.2.jar.last-modified = 1645159168000 (PersistedConfigSource)
kc.quarkus-properties-enabled = false (PersistedConfigSource)
kc.show.config = none (SysPropConfigSource)
kc.version = 17.0.0 (SysPropConfigSource)

Would like to use both together ... appreciate your help...

Thank you.

CVE-2021-35065 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /Examples/RadiusServiceAccountJSExample/package.json

Path to vulnerable library: /Examples/RadiusServiceAccountJSExample/node_modules/glob-parent/package.json,/Examples/WebAuthnJSExample/node_modules/glob-parent/package.json,/Examples/OneTimePasswordJSExample/node_modules/glob-parent/package.json

Dependency Hierarchy:

• keycloak-connect-16.1.0.tgz (Root Library)
  • chromedriver-96.0.0.tgz
    • del-6.0.0.tgz
      • globby-11.0.4.tgz
        • fast-glob-3.2.7.tgz
          • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b55223b123b87ca05baee2f1273af7fdbffd30b

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: gulpjs/glob-parent#49

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-13822 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/elliptic/package.json

Dependency Hierarchy:

• keycloak-connect-10.0.2.tgz (Root Library)
  • jwk-to-pem-2.0.3.tgz
    • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: ac339c95216ca41a1d00b041526faacaabae2626

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Describe the bug
I'm using v1.3.8 of the plugin with KC 16.1.0, and if I configure a user to have a RADIUS password and I try and authentication as that user, I can specify any password and I get an Access-Accept. If I use CHAP or if I delete the RADIUS password (thus using the user's Keycloak password) I get expected behavior (i.e., only the correct password results in an Access-Accept).

I've tried 19 and the 1.4.8 of the plugin, but then I run into issue #698.

To Reproduce
Steps to reproduce the behavior:

1. Configure a user in a realm in Keycloak
2. Make them set a RADIUS password
3. Authenticate as that user using the wrong password and the PAP protocol
4. See that the user gets an Access-Accept

Expected behavior
I expect to get an Access-Reject.

i have two question, need you help.
1.When I run the expamle program "Assign attributes dynamically using javascript policy", do I need to run "keyclock-radius-plugin" + "free radius" , or just need to run the "keycloak-radius-plugin"?
2. when i only run the "keycloak-radius-plugin" programe, then run example program "Assign attributes dynamically using javascript policy", find out the error information: "Error: Timed out after 2500ms(1 retries)
thank you very much.

Hi Vasiliy,
I plan to use your software and was a bit down when I found out that you are from Ukraine.
But after your recent commits, I really hope you are doing well and am very overwhelmed that you are continuing to work under the circumstances of the Russian invasion.

I wanted to ask if it is possible to send you a donation for your hard work, maybe it can help you even in these hard times.

Thanks to Ukraine for fighting for democracy and against populism, fascism and oligarchy! The whole western world is in your debt.

Has anyone integrated this Radius implementation on Keycloak with SMS per this procedure?

https://www.n-k.de/2020/12/keycloak-2fa-sms-authentication.html

Note that my setup includes an AWS AD with MFA enabled. SMS messages aren't happening for AD login credentials. Local login to Keycloak does prompt SMS message.

Describe the bug

(Or this may be user error - can you enable "Discussions"?)

When I install keycloak-radius-plugin over Keycloak 17.0.0, I don't get the "Update RADIUS password" action under "Required User Actions"

To Reproduce
I installed Keycloak 17.0.0 from scratch already (it's in /opt/keycloak-17.0.0, with a symlink from /opt/keycloak), using the now-default Quarkus version.

I unzipped the relevant parts of keycloak-radius-plugin over it. Note that kc.sh build appears to be necessary to pick up the radius plugin.

unzip -d /opt/keycloak-17.0.0 -n keycloak-radius.zip 'config/**' 'providers/**' 'themes/**'
systemctl stop keycloak
/opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
systemctl start keycloak

I was then able to add a client name "radius", protocol "radius-protocol", and it responds to RADIUS requests. It works if I do simple Access-Request and I set the Keycloak password on an account:

# radtest brian xyzzy 127.0.0.1 1 secret
Sent Access-Request Id 245 from 0.0.0.0:34311 to 127.0.0.1:1812 length 75
	User-Name = "brian"
	User-Password = "xyzzy"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "xyzzy"
Received Access-Accept Id 245 from 127.0.0.1:1812 to 127.0.0.1:34311 length 20

However, I'm having difficulty setting the separate RADIUS password.

I set the realm admin console theme to "radius". However when I go to the Users > (username) > Details page, I do not see any option for "Update RADIUS password"

I restarted keycloak just to be sure.

There is also no RADIUS option under "Users > (username) > Credentials > Credential Reset"

Expected behavior
The documentation shows a new option "Update Radius password" should be available:

Screenshots
Inline above

Additional context
My goal is to disallow users from setting a Keycloak password (using IDP links to login to Keycloak), and use the RADIUS password only for RADIUS authentication.

Warnings are generated by kc.sh build showing that the RADIUS modules are being picked up:

root@keycloak1:~# /opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
Updating the configuration and installing your custom providers, if any. Please wait.
2022-03-02 16:34:31,816 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: mikrotik-password (com.github.vzakharchenko.radius.password.RadiusCredentialProviderFactory) is implementing the internal SPI credential. This SPI is internal and may change without notice
2022-03-02 16:34:32,282 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius (com.github.vzakharchenko.radius.dm.api.RadiusServiceImpl) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice
2022-03-02 16:34:32,428 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius-protocol (com.github.vzakharchenko.radius.client.RadiusLoginProtocolFactory) is implementing the internal SPI login-protocol. This SPI is internal and may change without notice
2022-03-02 16:34:32,760 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: oidc-radius-password (com.github.vzakharchenko.radius.mappers.RadiusPasswordMapper) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2022-03-02 16:34:32,806 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius-disconnect-message-factory (com.github.vzakharchenko.radius.dm.jpa.RadiusLogoutJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
2022-03-02 16:34:34,554 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: UPDATE_RADIUS_PASSWORD (com.github.vzakharchenko.radius.password.UpdateRadiusPassword) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2022-03-02 16:34:57,866 INFO  [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 37347ms
Server configuration updated and persisted. Run the following command to review the configuration:

	kc.sh show-config

Hi.

Log4J 2.14.1 that is referenced in this project is vulnerable to CVE-2021-44228 (aka Log4Shell), about which there has been a lot of noise over the last few days. It should be updated to 2.15.0, which addresses the issue. Although it doesn't look like there are any log statements that would be vulnerable, I'd definitely feel better knowing this particular exploit is nowhere near our Keycloak deployment! In fact, I'm not sure it's even used at all, so maybe it can just be removed?

Thanks,
Nick

CVE-2020-7598 - High Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/extract-zip/node_modules/minimist/package.json

Dependency Hierarchy:

• keycloak-connect-9.0.0.tgz (Root Library)
  • chromedriver-80.0.1.tgz
    • extract-zip-1.6.7.tgz
      • mkdirp-0.5.1.tgz
        • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/minimist/package.json,/tmp/ws-scm/keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/minimist/package.json

Dependency Hierarchy:

• express-handlebars-3.1.0.tgz (Root Library)
  • handlebars-4.7.3.tgz
    • optimist-0.6.1.tgz
      • ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: f7ee59020335252a60fd2f3028cbebba9cd37586

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44907 - Medium Severity Vulnerability

Vulnerable Library - qs-6.9.7.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.9.7.tgz

Path to dependency file: /Examples/WebAuthnJSExample/package.json

Path to vulnerable library: /Examples/WebAuthnJSExample/node_modules/qs/package.json,/Examples/OneTimePasswordJSExample/node_modules/qs/package.json,/Examples/LdapOtpExample/node_modules/qs/package.json,/Examples/ConditionAccessRequestJSExample/node_modules/qs/package.json,/Examples/OTPPasswordJSExample/node_modules/qs/package.json,/Examples/RadiusServiceAccountJSExample/node_modules/qs/package.json,/Examples/RadiusAuthorizationJSExample/node_modules/qs/package.json,/Examples/RadiusDefaultRealmJSExample/node_modules/qs/package.json

Dependency Hierarchy:

• body-parser-1.19.2.tgz (Root Library)
  • ❌ qs-6.9.7.tgz (Vulnerable Library)

Found in HEAD commit: 8c44b2a0c6ccaa9c54f09217700309204f8ac5f4

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;cloudscribe.templates - 5.2.0;KnstAsyncApiUI - 1.0.2-pre;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;VueJS.NetCore - 1.1.1;NativeScript.Sidekick.Standalone.Shell - 1.9.1-v2018050205;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.2;Fable.Template.Elmish.React - 0.1.6;Fable.Snowpack.Template - 2.1.0;Yarn.MSBuild - 0.22.0,0.24.6

Step up your Open Source Security Game with WhiteSource here

My settings are these:
° keycloak radius plugin installed quarks. (ubuntu 20.04.3) ( external server )
running: /opt/keycloak-radius# bin/kc.sh start --hostname=mydomain.cloud --hostname-strict-backchannel=true --https-port=8443
° configured https tls and hostname external ip ( no proxy ).
° radius over TLS configured as radsec port 1812 ,1813.
° configured "mikrotik-radius-plugin" only for login mikrotik
° user created for login test

My Mikrotik
° Routerboard RB750GR3 version 6.49.6 (stable)
° configured radius radsec, accouting AAA

The mistake:
when i go to login by winbox i get the following error in keycloak terminal.

[com.github.vzakharchenko.radius.radius.handlers.AuthHandler] (pool-3-thread-1) failed with message: java.lang.NullPointerException
2022-09-11 12:38:15,706 ERROR [com.github.vzakharchenko.radius.radius.handlers.AuthHandler] (pool-3-thread-2) failed with message: java.lang.NullPointerException
at org.keycloak.events.EventBuilder.(EventBuilder.java:55)
at com.github.vzakharchenko.radius.event.log.EventLoggerUtils.createEvent(EventLoggerUtils.java:32)
at com.github.vzakharchenko.radius.event.log.EventLoggerUtils.createMasterEvent(EventLoggerUtils.java:23)
at com.github.vzakharchenko.radius.radius.handlers.protocols.AbstractAuthProtocol.isValid(AbstractAuthProtocol.java:94)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelRead0(AuthHandler.java:108)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.lambda$channelReadRadius$0(AuthHandler.java:126)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:250)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelReadRadius(AuthHandler.java:124)
at com.github.vzakharchenko.radius.radius.handlers.AuthHandler.directRead(AuthHandler.java:159)
at com.github.vzakharchenko.radsec.handlers.RadSecHandler.lambda$channelReadRadius$0(RadSecHandler.java:42)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:250)
at com.github.vzakharchenko.radsec.handlers.RadSecHandler.channelReadRadius(RadSecHandler.java:36)
at com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.lambda$channelRead0$0(AbstractThreadRequestHandler.java:18)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)

STATUS RADIUS ROUTERBOARD

I don't know where I'm going wrong.

When CoA requests are enabled and the server restarts, CoA request is sent on a separate thread.
Each thread runs in its own thread pool.

Steps to reproduce :

1. Enable CoA requests
2. Logout the radius users or restart the Keycloak server
3. after some period check the log file.

2021-02-05 01:45:00,118 WARNING [io.netty.channel.DefaultChannelPipeline] (nioEventLoopGroup-2-16) An exceptionCaught() event was fired, and it reached at the tail of the pipeline.  It usually means the last handler in the pipeline did not handle the exception.: java.lang.OutOfMemoryError: unable to create native thread: possibly out of memory or process/resource limits reached
        at java.base/java.lang.Thread.start0(Native Method)
        at java.base/java.lang.Thread.start(Thread.java:803)
        at java.base/java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:937)
        at java.base/java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1354)
        at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.channelRead0(AbstractThreadRequestHandler.java:18)
        at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AbstractThreadRequestHandler.channelRead0(AbstractThreadRequestHandler.java:10)
        at [email protected]//io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at [email protected]//io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
        at [email protected]//io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at [email protected]//io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:271)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at [email protected]//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1526)
        at [email protected]//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
        at [email protected]//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
        at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
        at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
        at [email protected]//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at [email protected]//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at [email protected]//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at [email protected]//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at [email protected]//io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
        at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
        at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
        at [email protected]//io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
        at [email protected]//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
        at [email protected]//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)

Expected:

CoA requests are sent without using their own thread pool, they must use the shared thread pool

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update dependency org.slf4j:slf4j-simple to v2.0.13
• chore(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.17.1
• chore(deps): update dependency com.github.spotbugs:spotbugs to v4.8.5
• chore(deps): update dependency com.h3xstream.findsecbugs:findsecbugs-plugin to v1.13.0
• chore(deps): update dependency org.apache.maven.plugins:maven-assembly-plugin to v3.7.1
• chore(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.3.1
• chore(deps): update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.13.0
• chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.6.1
• chore(deps): update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.2.4
• chore(deps): update dependency org.apache.maven.plugins:maven-jar-plugin to v3.4.1
• chore(deps): update dependency org.apache.maven.plugins:maven-pmd-plugin to v3.22.0
• chore(deps): update dependency org.apache.maven.plugins:maven-shade-plugin to v3.5.3
• chore(deps): update dependency org.apache.maven.plugins:maven-source-plugin to v3.3.1
• chore(deps): update dependency org.codehaus.mojo:properties-maven-plugin to v1.2.1
• chore(deps): update dependency org.testng:testng to v7.10.2
• fix(deps): update dependency org.apache.commons:commons-lang3 to v3.14.0
• chore(deps): update actions/cache action to v4
• chore(deps): update actions/checkout action to v4
• chore(deps): update actions/setup-java action to v4
• chore(deps): update actions/setup-node action to v4
• chore(deps): update dependency org.codehaus.mojo:templating-maven-plugin to v3
• chore(deps): update docker/build-push-action action to v5
• chore(deps): update docker/login-action action to v3
• chore(deps): update docker/setup-buildx-action action to v3
• chore(deps): update docker/setup-qemu-action action to v3
• chore(deps): update quay.io/keycloak/keycloak docker tag to v24
• fix(deps): update dependency org.jboss.logmanager:jboss-logmanager to v3
• fix(deps): update keycloak.version to v24 (major) (org.keycloak:keycloak-model-infinispan, org.keycloak:keycloak-authz-client, org.keycloak:keycloak-servlet-filter-adapter, org.keycloak:keycloak-model-jpa, org.keycloak:keycloak-authz-policy-common, org.keycloak:keycloak-server-spi, org.keycloak:keycloak-kerberos-federation)
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• fix(deps): update dependency org.keycloak:keycloak-server-spi-private to v21.1.2 [security]
• fix(deps): update dependency org.keycloak:keycloak-core to v23 [security]
• fix(deps): update dependency org.keycloak:keycloak-ldap-federation to v23 [security]
• fix(deps): update dependency org.keycloak:keycloak-services to v23 [security]
• chore(deps): update dependency org.apache.maven.plugins:maven-release-plugin to v3.0.1
• chore(deps): update dependency org.jacoco:jacoco-maven-plugin to v0.8.12
• fix(deps): update dependency io.netty:netty-all to v4.1.109.final
• chore(deps): update dependency com.github.spotbugs:spotbugs-maven-plugin to v4.8.4.0
• chore(deps): update dependency com.mebigfatguy.sb-contrib:sb-contrib to v7.6.4
• chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.4.1
• chore(deps): update dependency org.mockito:mockito-core to v5.11.0
• chore(deps): update quay.io/keycloak/keycloak docker tag to v21.1.2
• fix(deps): update keycloak.version to v21.1.2 (org.keycloak:keycloak-model-infinispan, org.keycloak:keycloak-authz-client, org.keycloak:keycloak-servlet-filter-adapter, org.keycloak:keycloak-model-jpa, org.keycloak:keycloak-authz-policy-common, org.keycloak:keycloak-server-spi, org.keycloak:keycloak-kerberos-federation)
• Click on this checkbox to rebase all open PRs at once

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• fix(deps): update dependency org.hibernate:hibernate-core to v6

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Describe the bug
After a successful Login with one of my test users, the session won't show up, neither in the user sessions nor in in the active sessions of the client.

The debug log of keycloak says:
[org.keycloak.events] (pool-17-thread-1) type=LOGIN, realmId=master, clientId=radius, userId=c197ec91-8f1a-44ba-b8d2-68fc1f8ada87, ipAddress=172.28.0.1, RADIUS='success Login to RADIUS for user admin', RADIUS_HOST=172.28.0.1

To Reproduce
Steps to reproduce the behavior:

1. Authenticate via RADIUS Protocol
2. check user sessions/client sessions
3. there are no sessions for specific user / active session counter equals 0

Expected behavior
sessions for user listed / active sesssion counter > 0

Additional context
Keycloak is deployed in docker on my local machine
Logins are tested via radtest/radclient provided by freeradius

I think this should be engine.engine() otherwise it throw an error TypeError: engine is not a function.

Git repository issue.

[INFO] Reactor Summary for Keycloak Radius Server 1.4.4-SNAPSHOT:
[INFO]
[INFO] Keycloak Radius Server ............................. SUCCESS [ 3.930 s]
[INFO] Radius plugin ...................................... FAILURE [ 0.851 s]
[INFO] Mikrotik Radius plugin ............................. SKIPPED
[INFO] Cisco Radius plugin ................................ SKIPPED
[INFO] RadSec(Radius over TLS) plugin ..................... SKIPPED
[INFO] Radius Disconnect-Messages plugin .................. SKIPPED
[INFO] Proxy Radius plugin ................................ SKIPPED
[INFO] radius-theme ....................................... SKIPPED
[INFO] Chillispot Radius plugin ........................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.923 s
[INFO] Finished at: 2022-04-15T16:30:12Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal pl.project13.maven:git-commit-id-plugin:4.9.10:revision (validate-the-git-infos) on project radius-plugin: .git directory is not found! Please specify a valid [dotGitDirectory] in your pom.xml -> [Help 1]

Hi, Vasiliy!
I assume there is a typo in --dependencies option of the "setup radius-disconnect plugin" command: keycloak-model-jpa -> org.keycloak.keycloak-model-jpa. Otherwise, it throws an exception (ModuleNotFoundException) at keycloak startup.

CVE-2021-32820 - Medium Severity Vulnerability

Vulnerable Library - express-handlebars-5.3.2.tgz

A Handlebars view engine for Express which doesn't suck.

Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-5.3.2.tgz

Path to dependency file: keycloak-radius-plugin/Examples/OTPPasswordJSExample/package.json

Path to vulnerable library: keycloak-radius-plugin/Examples/OTPPasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/ConditionAccessRequestJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusDefaultRealmJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusAuthorizationJSExample/node_modules/express-handlebars/package.json

Dependency Hierarchy:

• ❌ express-handlebars-5.3.2.tgz (Vulnerable Library)

Found in HEAD commit: f42eb0ebaedc72304029b423e82fc408cd7863b8

Found in base branch: master

Vulnerability Details

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

Publish Date: 2021-05-14

URL: CVE-2021-32820

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Hello,
I have an issue with the radius theme. When I try to open the Mappers tab or the Installation tab of a client, it does not render properly and shows this page.
I'm not sure if this is intended, if not I can submit a PR to disable those tabs for radius-protocol clients.

Is your feature request related to a problem? Please describe.
I have multiple groups. For this, I only worry about "WiFi" and "VPN". In my domain, there are some accounts that shouldn't have access to any networking, some that should have WiFi but not VPN, and some that have both.

Describe the solution you'd like
I would like to have groups like so:

Describe alternatives you've considered
I have tried every combination of REJECT_RADIUS, REJECT_Connect-Info, and ACCEPT_Connect-Info that I can think of, but I cannot get this behavior working. I cannot seem to handle the case of users who have no membership (users who do not have access to anything).

Is your feature request related to a problem? Please describe.

I am trying to use keycloak-radius-plugin for OTP token verification configured as a secondary RADIUS service with the Cisco AnyConnect VPN stuff. The primary RADIUS service is AD/Windows and performs all the usual authentication and authorization for VPN login.

Cisco just sends the username and OTP token to the secondary RADIUS service and prefers to use PAP. The switch to MSCHAPv2 comes with some other drawbacks and it does not seem to be possible to force the VPN to send password and OTP token to the secondary RADIUS service. Since the password is already checked, it also makes sense not to send it to other services without a need to do so .

I have not found any reference to why OTP-only mode is limited to CHAP/MSCHAPv2 and does not work with PAP. Only the code shows me that someone did a very good job by explicitly excluding PAP from the OTP configuration flag. This is so well done that there must be a very good reason for this, which I am very curious to know.

Describe the solution you'd like

A) Let PAP behave like CHAP/MSCHAPv2. Would be most consistent.

Describe alternatives you've considered

B) Add an additional configuration flag for PAP or change the otp flag to a list of PAP, CHAP, MSCHAPv2. (true means CHAP, MSCHAPv2 for compatibillity).

C) Discard the otp flag in the configuration, move it to the client configuration with the possibility to change the behavior for all or PAP, CHAP, MSCHAPv2 separately.
(I'm not sure if this will work, since the client seems to provide at best a realm, but no client ID. Therefore a configuration in the realm would also be thinkable).

Additional context

I think I could create a PR for it (if it doesn't get too deep into Keycloak internals), but I'd like to know beforehand if this is a completely stupid idea respectively which variant would be preferred.

And many thanks to @vzakharchenko for his great work on this plugin.

Describe the bug
I am trying to use MariaDB as RDBS, but I get the following error during starting the services:

keycloak_1 | 11:58:42,655 FATAL [org.keycloak.services] (ServerService Thread Pool -- 66) Error during startup: java.lang.IllegalStateException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('"' (code 34)): was expecting comma to separate Object entries keycloak_1 | at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 105] keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.configuration.FileRadiusConfiguration.getRadiusSettings(FileRadiusConfiguration.java:52) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.server.KeycloakRadiusServer.<init>(KeycloakRadiusServer.java:42) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.server.RadiusServerProviderFactory.createInstance(RadiusServerProviderFactory.java:20) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.create(AbstractRadiusServerProviderFactory.java:19) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.lambda$postInit$0(AbstractRadiusServerProviderFactory.java:41) keycloak_1 | at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:239) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.providers.AbstractRadiusServerProviderFactory.postInit(AbstractRadiusServerProviderFactory.java:40) keycloak_1 | at [email protected]//org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:129) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:233) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:124) keycloak_1 | at [email protected]//org.keycloak.provider.wildfly.WildflyPlatform.onStartup(WildflyPlatform.java:36) keycloak_1 | at [email protected]//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:114) keycloak_1 | at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) keycloak_1 | at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) keycloak_1 | at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) keycloak_1 | at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.constructOutsideRequest(ConstructorInjectorImpl.java:225) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:209) keycloak_1 | at [email protected]//org.jboss.resteasy.core.providerfactory.Utils.createProviderInstance(Utils.java:102) keycloak_1 | at [email protected]//org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.createProviderInstance(ResteasyProviderFactoryImpl.java:1385) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.createApplication(ResteasyDeploymentImpl.java:418) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.initializeObjects(ResteasyDeploymentImpl.java:265) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.startInternal(ResteasyDeploymentImpl.java:137) keycloak_1 | at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.start(ResteasyDeploymentImpl.java:121) keycloak_1 | at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:144) keycloak_1 | at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:42) keycloak_1 | at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) keycloak_1 | at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.doIt(RunAsLifecycleInterceptor.java:70) keycloak_1 | at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:76) keycloak_1 | at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) keycloak_1 | at [email protected]//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:309) keycloak_1 | at [email protected]//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:145) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:588) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559) keycloak_1 | at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) keycloak_1 | at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) keycloak_1 | at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:601) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:106) keycloak_1 | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:87) keycloak_1 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) keycloak_1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) keycloak_1 | at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) keycloak_1 | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) keycloak_1 | at java.base/java.lang.Thread.run(Thread.java:829) keycloak_1 | at [email protected]//org.jboss.threads.JBossThread.run(JBossThread.java:513) keycloak_1 | Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('"' (code 34)): was expecting comma to separate Object entries keycloak_1 | at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 105] keycloak_1 | at [email protected]//com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2337) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:710) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:635) keycloak_1 | at [email protected]//com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextFieldName(UTF8StreamJsonParser.java:1024) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:331) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:187) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4593) keycloak_1 | at [email protected]//com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3585) keycloak_1 | at [email protected]//org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:94) keycloak_1 | at [email protected]//org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:79) keycloak_1 | at keycloak.plugins.radius//com.github.vzakharchenko.radius.configuration.FileRadiusConfiguration.getRadiusSettings(FileRadiusConfiguration.java:49) keycloak_1 | ... 50 more keycloak_1 | keycloak_1 | 11:58:42,664 INFO [org.jboss.as.server] (Thread-1) WFLYSRV0220: Server shutdown has been requested via an OS signal

To Reproduce

1. Use the following docker-compose.yml

`version: '3.7'
services:
db:
image: mariadb:10.5.3
ports:
- "3306:3306"
volumes:
- ./mysql:/var/lib/mysql
environment:
- MARIADB_ROOT_PASSWORD=root
- MYSQL_ROOT_PASSWORD=root

keycloak:
image: jboss/keycloak:latest
depends_on:
- db
ports:
- "8090:8080" # UI
- "8190:8190" # DEBUG
- "1812:1812/udp" # RADIUS
- "1813:1813/udp" # RADIUS
environment:
- KEYCLOAK_IMPORT="/config/realm-example.json"
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=mariadb
- DB_PORT=3306
- DB_ADDR=db
- DB_DATABASE=keycloak
- DB_USER=root
- DB_PASSWORD=root
- RADIUS_SHARED_SECRET="secret"
- RADIUS_UDP=true
- RADIUS_UDP_AUTH_PORT=1812
- RADIUS_UDP_ACCOUNT_PORT=1813
- RADIUS_RADSEC=false
- RADIUS_RADSEC_PRIVATEKEY="/config/private.key"
- RADIUS_RADSEC_CERTIFICATE="/config/public.crt"
- RADIUS_DICTIONARY=""
- RADIUS_COA=false
- RADIUS_COA_PORT="3799"
- keycloak.profile.feature.upload_scripts="enabled"
volumes:
- ../cli:/opt/radius/cli
- ./scripts:/opt/radius/scripts
- ./config:/config
entrypoint: /opt/radius/scripts/docker-entrypoint.sh`

2. Run using "docker-compose up"

There is a radius sever Radiusdesk, where i can configure profiles for connection restriction.
But it has own database.
We want to use KeyCloak for SSO and this plugin for radius features.
Is it possible to configure radius server like in this post?
https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-radiusdesk-and-coova-chilli-on-raspberry-pi-running-openwrt/

I'm attempting to integrate AWS Directory Services with Keycloak radius server and I get the following. This results when using the AWS console to enable 2FA.

2022-05-11 16:45:24,683 WARN [org.keycloak.events] (pool-6-thread-3) type=LOGIN_ERROR, realmId=Radius, clientId=radius, userId=ba222699-c4a3-4765-88fc-b785bdbe2011, ipAddress=10.0.131.229, error=RADIUS ERROR, RADIUS='Login to RADIUS fail for user fakeusername, please check password and try again', RADIUS_HOST=10.0.131.229
2022-05-11 16:45:24,683 WARN [org.keycloak.events] (pool-6-thread-4) type=LOGIN_ERROR, realmId=Radius, clientId=radius, userId=ba222699-c4a3-4765-88fc-b785bdbe2011, ipAddress=10.0.87.184, error=RADIUS ERROR, RADIUS='Login to RADIUS fail for user fakeusername, please check password and try again', RADIUS_HOST=10.0.87.184

10.0.131.229 and 10.0.87.184 are two addressed associated with AWS Directory Services AD. I can log into the Keycloak console using fake username and password just fine.

Anybody ever tried this?

Depshield will be deprecated on Monday December 12th

Please install our new product, Sonatype Lift with advanced features

Describe the bug
The plugin requires the config file to be: /config/radius.conf
instead of ${KEYCLOAK_PATH}/config/radius.conf

To Reproduce
Steps to reproduce the behavior:
Add plugins to existing keycloak and try to start ...

Expected behavior
Well that the file could be kept within the keycloak directory

Screenshots
NA

Desktop (please complete the following information):

• OS: CentOS V7.9
• Browser: not relevant

Smartphone (please complete the following information):
Not relevant

Additional context
Add any other context about the problem here.

Describe the bug
Hello. I faced an issue when the request doesn't contain a realm name. Please, see the log below.
Everything is OK when I send the realm name explicitly, but Unifi doesn't support setting a realm name.

To Reproduce
Use an example with a default realm name

Expected behavior
Get SUCCESS status

Desktop (please complete the following information):

• Keycloak-radius-plugin Docker container v 1.3.5

Additional context
Logs:
15:21:01,456 ERROR [stderr] (pool-19-thread-1) Exception in thread "pool-19-thread-1" java.lang.NoClassDefFoundError: org/apache/commons/lang3/StringUtils 15:21:01,457 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.RadiusHelper.getRealmFromUserName(RadiusHelper.java:190) 15:21:01,457 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.RadiusHelper.getRealm(RadiusHelper.java:214) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.protocols.AbstractAuthProtocol.isValid(AbstractAuthProtocol.java:90) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelRead0(AuthHandler.java:102) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.lambda$channelReadRadius$0(AuthHandler.java:120) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at keycloak.plugins.radius//com.github.vzakharchenko.radius.radius.handlers.AuthHandler.channelReadRadius(AuthHandler.java:118) 15:21:01,458 ERROR [stderr] (pool-19-thread-1) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 15:21:01,459 ERROR [stderr] (pool-19-thread-1) Caused by: java.lang.ClassNotFoundException: org.apache.commons.lang3.StringUtils from [Module "keycloak.plugins.radius" from local module loader @13d9b21f (finder: local module finder @2826f61 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))]

I am following along and trying to build a Radius Client to support a MikroTik router. I create a realm for the Mikrotik devices. I then get to building the client. When I click "create" I get this error:

Cannot read properties of undefined (reading 'length')

(In the Webapp)

The keycloak binary was downloaded from github using wget: wget https://github.com/vzakharchenko/keycloak-radius-plugin/releases/download/v1.4.8-19.0.1/keycloak-radius.zip

The application temporarily run from the command line using: bin/kc.sh start-dev

I have looked through the 16 issues and don't see anything related. My suspicion is that I am missing some command line argument.

Thank you!

arm, arm64 and amd64 images would be helpful.

only amd64 images provided on docker hub.

upstream keycloak only supports amd64 and arm64 images, thats why I created multiarch keycloak releases, see:
https://github.com/maltegrosse/keycloak-multiarch

in order to switch to multiarch for the radius plugin, only minor changes to a github workflow/action need to be done, see:
https://github.com/maltegrosse/keycloak-radius-multiarch/blob/main/.github/workflows/container.yml#L24