I have an Angular app that is redirected to Keycloak login page. After the user login I check the requests that have been done, and there is one similar to:
https://localhost:8443/auth/realms/XXX/login-actions/authenticate?session_code=XXX&execution=XXX&client_id=XXX&tab_id=XXX
In this request I can see in the body the username and the password the user sent:
username=my_user
password=my_password
credentialId=""
This is not encrypted and I can see it easily on the browser. Of course this is unsafe, so I would like to know. How can I prevent this behavior?
CodePudding user response:
It's safe to send password in your body.
You can test it on stackOverflow himself which send you login/password in clear and use SSL certificate.
You send your password one time and use token after that.
SSL certificate is a solution if you want to prevent MIM.