The customer is in the process of upgrading the AMQ Broker operator in the OpenShift clusters. They manage to version 7.11.0-opr-2. Most of the AMQ Brokers in these clusters are still version 7.10.x and several of these brokers are using the keycloakLoginModule (connecting to a Red Hat SSO instance in the same OpenShift cluster). They use ActiveMQArtemisSecurity custom resources to configure this. After upgrading the operator in an OpenShift cluster to version 7.11.0-opr-2 . They noticed that an AMQ Broker in this cluster with the keycloakLoginModule configured started to show the following warnings in the log several times per minute:

2023-05-17 12:55:39,151 WARN [org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule] Login failed. Invalid status: 401, OAuth2 error. Error: invalid_grant, Error description: Invalid user credentials

keycloak pod shows an error at the same time:

•[0m•[33m12:55:39,148 WARN [org.keycloak.events] (default task-24) type=LOGIN_ERROR, realmId=bijs-realm, clientId=bijs-amq-broker, userId=null, ipAddress=100.66.3.71, error=user_not_found, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=admin, authSessionParentId=bce80e62-4072-4b9d-b99a-16d61ae04dc1, authSessionTabId=X6MZ2AFVJdA

The Customer Analysis is as follows:
"We are using OpenShift v4.10.51 and Red Hat SSO operator 7.6.1-opr-005. I didn't collect the must gather, because I have an idea about the possible cause of this issue. I have attached the security configuration of the broker in which the issue occurred (bijs-amq-broker-security-config.yaml). In this configuration both a keycloak login module and a properties login module are defined, the keycloak module as 'sufficient' and the properties module as 'required' (see also attached login.config). The warning/error mentioned in the case description are related to the 'admin' user of the broker. This user is not defined in SSO, but as a local user in the properties login module. What happens, I think, is that when an application tries to login in with the admin user, the broker first checks with Red Hat SSO and, because this fails, then tries the properties login module, which is successful. With broker operator version 7.10.x this didn't result in any log messages (because the login is successful), but now we have upgraded to operator 7.11.x apparently something has been changed in the logging configuration so that the unsuccessful login to SSO is logged as a warning. Although technically this is correct, this is still a distraction, because the login is valid. I think the warning should only be logged when the login module has been defined as 'required' (similar to operator version 7.10.x). Do you agree?"