Skip to content

Malformed providers config will leak secrets #656

New issue
New issue
Open
Open
Malformed providers config will leak secrets#656
@andogq

Description

@andogq
andogq
opened on Sep 17, 2025

If the providers config map contains malformed JSON, the API will encounter an unmarshalling error at /api/v0/idps which will include the full IDP configuration, including client secrets.

Ideally these errors shouldn't be directly returned from the API, at least without stripping potentially sensitive information. The same error message (including secrets) is also present in deployment logs, which is also leaking the same secrets.

Repro

  • kubectl edit cm providers

  • Alter idps.json to include invalid JSON

    [
      {
        "id": "{{ snip }}",
        "client_id": "{{ snip }}",
        "provider": "microsoft",
        "client_secret": "{{ snip }}",
        "microsoft_tenant": "{{ snip }}",
        "mapper_url": "file:///etc/config/kratos/microsoft_schema.jsonnet",
        "scope": ["profile", "email", "address", "phone"]
      },
      {
        "id": "{{ snip }}",
        "client_id": "{{ snip }}",
        "provider": "google",
        "client_secret": "{{ snip }}",
        "mapper_url": "file:///etc/config/kratos/google_schema.jsonnet",
        "scope": ["profile", "email", "address", "phone"],
        "requested_claims": "{\"userinfo\":{\"given_name\":{\"essential\":true},\"nickname\":null,\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"picture\":null,\"http://example.info/claims/groups\":null},\"id_token\":{\"auth_time\":{\"essential\":true},\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]}}}"
      }
      INVALID
    ]

  • kubectl rollout restart deployment identity-platform-admin-ui

  • Head to http://localhost:8000/ui and log in with an account as normal

  • Loading http://localhost:8000/api/v0/idps (either directly, or by selecting 'Identity providers' tab and checking dev tools) should result in a 500 from the server:

{
  "status": 500,
  "message": "failed to list IDPs: failed unmarshalling [\n  {\n    \"id\": \"{{ snip }}\",\n    \"client_id\": \"{{ snip }}\",\n    \"provider\": \"microsoft\",\n    \"client_secret\": \"{{ snip }}\",\n    \"microsoft_tenant\": \"{{ snip }}\",\n    \"mapper_url\": \"file:///etc/config/kratos/microsoft_schema.jsonnet\",\n    \"scope\": [\"profile\", \"email\", \"address\", \"phone\"]\n  },\n  {\n    \"id\": \"{{ snip }}\",\n    \"client_id\": \"{{ snip }}\",\n    \"provider\": \"google\",\n    \"client_secret\": \"{{ snip }}\",\n    \"mapper_url\": \"file:///etc/config/kratos/google_schema.jsonnet\",\n    \"scope\": [\"profile\", \"email\", \"address\", \"phone\"],\n    \"requested_claims\": \"{\\\"userinfo\\\":{\\\"given_name\\\":{\\\"essential\\\":true},\\\"nickname\\\":null,\\\"email\\\":{\\\"essential\\\":true},\\\"email_verified\\\":{\\\"essential\\\":true},\\\"picture\\\":null,\\\"http://example.info/claims/groups\\\":null},\\\"id_token\\\":{\\\"auth_time\\\":{\\\"essential\\\":true},\\\"acr\\\":{\\\"values\\\":[\\\"urn:mace:incommon:iap:silver\\\"]}}}\"\n  }\n  INVALID\n]\n - invalid character 'I' after array element"
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions