Home > Mobile >  How to prevent Keycloak from displaying the password in body?
How to prevent Keycloak from displaying the password in body?

Time:02-11

I have an Angular app that is redirected to Keycloak login page. After the user login I check the requests that have been done, and there is one similar to:

https://localhost:8443/auth/realms/XXX/login-actions/authenticate?session_code=XXX&execution=XXX&client_id=XXX&tab_id=XXX

In this request I can see in the body the username and the password the user sent:

username=my_user
password=my_password
credentialId=""

This is not encrypted and I can see it easily on the browser. Of course this is unsafe, so I would like to know. How can I prevent this behavior?

CodePudding user response:

It's safe to send password in your body.
You can test it on stackOverflow himself which send you login/password in clear and use SSL certificate.
You send your password one time and use token after that.
SSL certificate is a solution if you want to prevent MIM.

Page link:https//www.codepudding.com/Mobile/295845.html

Prev:Consuming a localhost webservice via the Android emulator
Next:How design API URLs to comply with GDPR and OWASP and avoid Personal Identifiable Information in URL
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding