STRIDE threat model — quick narrative via search
You are designing a new B2B authentication flow using OAuth 2.1 + OIDC + Keycloak. Your security architect wants a fast STRIDE narrative grounded in OWASP and STRIDE-patterns before committing to a full workflow run.
How the gateway answered
Build a STRIDE threat model for the following authentication architecture: user → Keycloak → resource server → PostgreSQL. List threats per component, mitigations, and cite OWASP / NIST 800-53 / STRIDE patterns where relevant.
search(query="OAuth authentication token theft replay spoofing" sources=[OWASP MCP] limit=6)→ 6 results from OWASP MCP — Session Timeout (×4), Weak Encryption (×2)search(query="identity authentication access control NIST 800-53 IA…" sources=[Security Controls MCP] limit=6)→ 1 weakly-relevant result from Security Controls MCP; insufficient for NIST 800-53 citationssearch(query="PostgreSQL database SQL injection privilege escalation" sources=[OWASP MCP] limit=4)→ 4 results from OWASP MCP — Testing for SQL Injection + Objectives 1/2/3search(query="Keycloak OIDC session hijacking refresh token" sources=[OWASP MCP, STRIDE MCP] limit=5)→ 10 results: OWASP Session Fixation/Logout/Management/Hijacking + STRIDE OAuth replay, Predictable Tokens, WebSocket Origin BypassSTRIDE threat model — OAuth 2.1 + OIDC + Keycloak
Four components in scope: user agent → Keycloak (auth server) → resource server → PostgreSQL. STRIDE per component with mitigations grounded in the gateway's OWASP WSTG corpus and the STRIDE MCP threat-pattern library.
1. User agent ↔ Keycloak (login + token issuance)
| Category | Threat | Cited mitigation |
|---|---|---|
| Spoofing | Stolen credentials replayed at login | OAuth 2.1 PKCE; MFA. See OWASP — Testing Session Fixation |
| Spoofing | OIDC redirect-URI tampering steers tokens to an attacker | Strict redirect-URI allowlist; exact-match only. See STRIDE MCP — OAuth 2.0 Access Token Theft and Replay |
| Tampering | Auth-code interception in the redirect | PKCE S256 challenge binds the code to the originating client. Same OWASP/STRIDE references. |
| Repudiation | User denies they consented to the scopes they were granted | Keycloak's consent screen + audit log of grants. (No on-point citation in this gateway run — flagged for review.) |
| Information disclosure | Refresh token leak grants long-lived access | STRIDE MCP — Predictable Token Generation via Weak Random Number Generators. Use rotating refresh tokens; bind tokens to the client … |
Every claim traces to a source you can open
A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 8 primary sources — official legislation, agency guidance, and case law — each a link you or your auditor can open and check. Nothing here is generated.
- OWASP WSTG — Testing for Session Hijackingintl · guidance · github.com
- OWASP WSTG — Testing for Session Fixationintl · guidance · github.com
- OWASP WSTG — Testing for Logout Functionalityintl · guidance · github.com
- OWASP WSTG — Testing for Weak Encryptionintl · guidance · github.com
- OWASP WSTG — Testing for SQL Injectionintl · guidance · github.com
- STRIDE MCP — OAuth 2.0 Access Token Theft and Replay (Spring Boot and Express.js)intl · threat-pattern · github.com
- STRIDE MCP — Predictable Token Generation via Weak Random Number Generatorsintl · threat-pattern · github.com
- STRIDE MCP — WebSocket Origin Validation Bypassintl · threat-pattern · github.com
Run this on your own data
This is available as a service: Threat Model as a Service. Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.