Openid-connect preventing user enumeration

When using the backend server through openid-connect to retrieve a token, the server replies with “Invalid client credentials” versus “Invalid Secret” if you get the username/password wrong. This could allow brute force applications to discover user accounts.

Is there an easy way to make this log message the same on client vs secret login?

I found that I can create a plugin overloading the ClientAuthenticator class with a new log message. If I keep the same PROVIDER_ID of “client-secret”, keycloak gives me a warning that I’m replacing default functionality.

22:06:57,867 WARN [] (ServerService Thread Pool -- 66) KC-SERVICES0047: client-secret (com.keycloak.authenticator.client.FOOClientIdAndSecretAuthenticator) is implementing the internal SPI client-authenticator. This SPI is internal and may change without notice

What are the risks in deploying with this error?

If I change the “client-secret” provider id, then I have to incorporate the jar in any client that I deploy? correct?