A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the client-type, client-roles, client-attributes, or client-scopes condition providers in conjunction with the reject-ropc-grant executor. Instead, configure policies to use the grant-type condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.