Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9400

Only log valid user names on failed logins

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Rejected
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      For security reasons only valid usernames should be logged to avoid information leakage.
      Currently the all "LOGIN_ERROR" events with the reason "user_not_found" will show the username which tried to login. If a user accidentally entered his password into the username field this will also be logged in plain text. Therefor the event should only state that an unknown user tried to login.

      Request:

      • LOGIN_ERROR events with reason user_not_found should not contain the invalid username

        Attachments

          Activity

            People

            Assignee:
            stianst Stian Thorgersen
            Reporter:
            mpaatz Martin Paatz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: