Possible user enumeration in default username-password form

At first I thought this could be related to my userstorageprovider SPI implementation, but I see this behavior logging into the Master realm:

Enter a valid username and incorrect password:

Enter an Invalid username and any password:

Although the validation message itself does not indicate what part of the credential is invalid, the placement of the message does.

Thanks
-Jon

I am able to reproduce. Good catch.

However, this is a community forum, so the best place to post bugs like that is the Keycloak GitHub Issues page. Once you post it, please post the link of the issue back here so people on the forum can track it.

Based on the guidance for issues in github. I should not have made this post itself and I should email the issue to keycloak-security@googlegroups.com. I will do so, and then delete this post unless admins have further guidance. Likewise I will not be able to followup with an issue number.

1 Like