Log warnings

Signed-off-by: Peter Zaoral <[email protected]>
Pepo48 · Jul 26, 2024 · a56a49f · a56a49f
1 parent 8b2572e
commit a56a49f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java
@@ -33,6 +33,8 @@
 import java.util.List;
 import java.util.Optional;
 
+import static org.keycloak.services.managers.ApplianceBootstrap.TEMP_ADMIN_ATTR_NAME;
+
 /**
  * @author <a href="mailto:[email protected]">Marek Posolda</a>
  */
@@ -96,6 +98,9 @@ public Response processFlow() {
                     }
 
                     logger.debugv("Client {0} authenticated by {1}", client.getClientId(), factory.getId());
+                    if (Boolean.parseBoolean(client.getAttribute(TEMP_ADMIN_ATTR_NAME))) {
+                        logger.warn(client.getClientId() + " is a temporary admin service account. To harden security, create a permanent account and delete the temporary one.");
+                    }
                     processor.getEvent().detail(Details.CLIENT_AUTH_METHOD, factory.getId());
                     return null;
                 }
@@ -107,7 +112,7 @@ public Response processFlow() {
             processor.getEvent().error(Errors.INVALID_CLIENT);
             return alternativeChallenge;
         }
-        
+
         throw new AuthenticationFlowException("Invalid client or Invalid client credentials", AuthenticationFlowError.CLIENT_NOT_FOUND);
     }
 

diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -117,6 +117,7 @@
 
 import static org.keycloak.models.UserSessionModel.CORRESPONDING_SESSION_ID;
 import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.isOAuth2DeviceVerificationFlow;
+import static org.keycloak.services.managers.ApplianceBootstrap.TEMP_ADMIN_ATTR_NAME;
 
 /**
  * Stateless object that manages authentication
@@ -1039,6 +1040,14 @@ public static Response finishedRequiredActions(KeycloakSession session, Authenti
         event.event(EventType.LOGIN);
         event.session(userSession);
         event.success();
+
+        UserModel authUser = userSession.getUser();
+        boolean isTemporaryAdmin = Boolean.parseBoolean(authUser.getFirstAttribute(TEMP_ADMIN_ATTR_NAME));
+        if (isTemporaryAdmin) {
+            logger.warnf("%s is a temporary admin user account. To harden security, " +
+                    "create a permanent admin account and delete the temporary one.", authUser.getUsername());
+        }
+
         return redirectAfterSuccessfulFlow(session, realm, userSession, clientSessionCtx, request, uriInfo, clientConnection, event, authSession);
     }