Pretty simple issue, KeyCloak supported the DuoUniversalKeycloackAuthenticator plugin to add support for Duo multi-factor authentication to KeyCloak. To do so, on a successful authentication with KeyCloak the plugin would initiate a redirect to the configured Duo endpoint. The problem is that rather than issuing something like an HTTP 302 redirect, they issued an HTTP 307 redirect.

HTTP 307 Temporary Redirect is a special form of redirect that will preserve the request verb and body. So a POST request that gets a 307 in response, will read the new location and make the same POST request to that new location. Whereas the most standard 302 redirect would turn the request into a GET, this body-preserving 307 redirect meant that authentication credentials originally sent to KeyCloak, would be redirected to Duo’s servers also.

While you may not run into this exact issue, I wanted to highlight it as something to keep an eye out for (307 and 308 redirects) because they can result in potentially useful third-party information disclosures.