Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-4020

Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login [GHI#43091]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      login/ui

      Describe the bug

      When an account is temporarily locked on a realm with Organization Identity-First Login execution, attempting to login results in a form with two email fields. The first field is disabled with a "Restart Login" button; the second field allows input.

      <img width="831" height="810" alt="Image" src="https://github.com/user-attachments/assets/142fe974-e5a2-4a81-80c6-8f694232f742" />

      I would speculate that the second field should not be there at all. Regardless of if the user attempts to sign into their account with the correct password or a different account altogether, login fails, so there is no reason to have an email that takes input on this form.

      <img width="784" height="760" alt="Image" src="https://github.com/user-attachments/assets/5438fbfe-9ee1-40e6-85a1-123cbc3ff7c7" />

      Version

      26.4

      Regression

      [ ] The issue is a regression

      Expected behavior

      Given the behavior of the keycloak login form as it is now, I would expect one disabled email field with a "restart login" button.

      If the user decided for whatever reason that they had the wrong username/email, they would need to utilize the restart login button to proceed with their attempts to log into another account.

      Actual behavior

      The user is taken to a form with two email fields, one disabled and one that takes input. The field that takes input is a bit misleading, however, because the user will be unable to successfully login from that form.

      Hypothetically, If the user typos their way to this double-email form, they will see the following:

      <img width="782" height="769" alt="Image" src="https://github.com/user-attachments/assets/94224ef1-77fb-47c2-8e4f-79f756c0a337" />

      The presence of an email field that takes input and a password field will imply to the user that they will be able to login with their correct credentials from this point, but that is not the case; they will instead be met with an "Invalid username or password" validation message.

      How to Reproduce?

      1) In Authentication Settings, bind a browser flow with Organization Identity-First Login execution.
      2)) In Realm Settings -> Security Defenses, enable Lockout Temporarily Brute Force Detection (and lower max login failures from default 1000)
      3) Trigger temporary lockout and attempt to login

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: