Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9400

Only log valid user names on failed logins

    XMLWordPrintable

Details

    • Enhancement
    • Status: Closed
    • Major
    • Resolution: Rejected
    • None
    • None
    • None
    • None
    • NEW
    • NEW

    Description

      For security reasons only valid usernames should be logged to avoid information leakage.
      Currently the all "LOGIN_ERROR" events with the reason "user_not_found" will show the username which tried to login. If a user accidentally entered his password into the username field this will also be logged in plain text. Therefor the event should only state that an unknown user tried to login.

      Request:

      • LOGIN_ERROR events with reason user_not_found should not contain the invalid username

      Attachments

        Activity

          People

            sthorger@redhat.com Stian Thorgersen
            mpaatz Martin Paatz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: