Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] User enumeration possible ("Invalid username or password.") #285

Closed
1 task done
awoimbee opened this issue Dec 12, 2023 · 2 comments
Closed
1 task done

[BUG] User enumeration possible ("Invalid username or password.") #285

awoimbee opened this issue Dec 12, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@awoimbee
Copy link

awoimbee commented Dec 12, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

With a very simple auth flow:

Home IdP Discovery   Alternative
Password Form        Alternative

When a user enters an unregistered email address, he immediately gets "Invalid username or password."
See in video:
Screencast from 2023-12-12 01-04-02.webm

Expected Behavior

The best thing would be to use the Username Password Form with pre-filled username (and password if it got autofilled by a password manager) instead of using the Password Form.
Seems like it's currently possible with this auth flow:

Home IdP Discovery    Required
Generic subflow "sub"
  Username Password Flow    Required

The issue then is that the username is not pre-filled:
kc-idp-discovery-behavior

Steps To Reproduce

No response

Version

- Keycloak: 22.0.4
- This extension: 22.0.0 (EDIT: NOT 22.1.0)

Anything else?

No response
@awoimbee awoimbee added the bug Something isn't working label Dec 12, 2023
@sventorben
Copy link
Owner

sventorben commented Dec 12, 2023
edited
Loading

Hello @awoimbee

thanks for using my extension and taking the time to share this issue.

The extension will not work with the password form authenticator due to changes I needed to implement for #251.

Using the username password form should work, as you described.
I think that I implemented a test case in #251 to make sure the username will be prefilled.

Let me double check and get back to you with some details.

Have you tried making both authenticators alternatives instead of required?

@awoimbee
Copy link
Author

Hi,
I'm so sorry, I did not understand that #251 solved my issue and that I'm using the previous release, 22.0.0.
I should not be opening issues at 3am.
I'll post something here when I get it working !

@ArminRadmueller ArminRadmueller mentioned this issue May 6, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sventorben @awoimbee