Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2765

Login form can be used to determine which email addresses / usernames are in the system [GHI#37229]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      login/ui

      Describe the bug

      The "Invalid username or password" message gives away if an email address is present in the realm. When filling in an unknown email address the error message appears under the "Username or email" field. When filling in a email address that is in the realm with a wrong password the message appears under the "Password" field.

      !Image
      Within an unknown email

      !Image
      With a valid email, invalid password

      Version

      26.1

      Regression

      [ ] The issue is a regression

      Expected behavior

      The error message does not give away which email addresses are present in the application by have a single message, that always appears in the same spot

      Actual behavior

      See the bug description

      How to Reproduce?

      • Create a realm with a user
      • Go to login for the realm and fill in the valid email in the username or email field
      • Click on Sign-in
      • Now try the same with an unkown email

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: