Orthanc/Keycloak security hardening questions

[Sharpz7]

Hey Folks - appreciate you guys creating this, we have had a lot of success using it, and hope to release a open production-ready setup example sometime this year :)

I noticed that currently, the orthanc client does not need a client secret to login. This confused me for a couple of reasons:

• Why is it needed for the Orthanc 2 UI, as specified here
• Why was this decision made? Apologies if I am missing something, I don't have much experience with this side of cyber security - I've hacked together this knowledge with google searches this afternoon.

As well as this, I noticed that Proof Key for Code Exchange Code Challenge Method is set to plain

And that the public client access type is enabled by default

From the little I know, I imagine we should enforce S256 by default, and leave the public access type enabled, since I think the orthanc auth service uses S256 already. By changing the Code Challenge Method we stop other services from authenticating and doing weird token manipulation.

Thanks!

[Sharpz7]

I also noticed that http://localhost/system seems to be accessible without auth - is this on purpose as a health check?

If you guys are open to these kind of additions, I would love to become a contributor!

[bcrickboom]

Hi Sharpz7,

Not everything is clear to me in your message...
The reference to the documentation is actually a deprecated one.

Regarding the proof key, I'll have a look

Thanks,

[Sharpz7]

Hi @bcrickboom sorry, I should have said

orthanc-auth-service/minimal-setup/keycloak/README.md

Line 74 in 0968950

# Enabling API keys

- a few lines higher.

Basically because of how Orthanc has its keycloak configuration, it allows clients to authenticate on the "orthanc-client" with a client secret (client authentication is off). This raises questions as 1) s256 enforcement is also off and 2) that should mean that a keycloak secret from the logs is not needed as an orthanc env var (

orthanc-auth-service/minimal-setup/keycloak-inbox/docker-compose.yml

Lines 148 to 151 in 0968950

	# ENABLE_KEYCLOAK_API_KEYS: "true"
	# # to enable the permissions edition UI in OE2, you need to provide a KEYCLOAK_CLIENT_SECRET
	# KEYCLOAK_CLIENT_SECRET: "change-me-I-am-a-secret-you-get-in-keycloak-logs"
	KEYCLOAK_CLIENT_SECRET: "m1FL0Y4GN9DsBK39NSwTWSjAQTnsPzGA"

) - unless this is using a different keycloak client, but it seems to me that it shouldn't be required to be that way?

Plus I am confused by the exposure of http://localhost/system which seems strange and non-standard to me