Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, I've read about the possibility of generating a new JWT access_token and resigning it with the client_secret. Is this really possible given that the access_token generated by Keycloak uses RS256 and the refresh_token generated uses HS256? I ask this because to generate a new access_token, wouldn't it be necessary to possess the key pair (Public and Private) and thus generate a new token?
Considering the versions affected by this vulnerability, I would like to understand the main impacts of this client_secret leakage in a scenario where the Authorization Code Flow is enabled.
References:
