Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: RH-SSO-7.3-CD04
Affects Version/s: RH-SSO-7.2.4.GA
Component/s: Server
Labels:
None

Steps to Reproduce:
Hide

Go to the console and add an action to a user (Update Password for example). Then try to login with a valid password using direct grants in the admin-cli:

curl -X POST 'http://rhsso72.sample.com:8080/auth/realms/master/protocol/openid-connect/token' -d "username=ricky" -d 'password=XXXXX' -d 'grant_type=password' -d 'client_id=admin-cli' {"error":"invalid_grant","error_description":"Invalid user credentials"}
Show
Go to the console and add an action to a user (Update Password for example). Then try to login with a valid password using direct grants in the admin-cli: curl -X POST 'http://rhsso72.sample.com:8080/auth/realms/master/protocol/openid-connect/token' -d "username=ricky" -d 'password=XXXXX' -d 'grant_type=password' -d 'client_id=admin-cli' {"error":"invalid_grant","error_description":"Invalid user credentials"}

SFDC Cases Links:
SFDC Cases Counter:

This change broke the direct grants login when a user has some required actions. Previously the message Account is not fully set up was returned but now it's just a generic Invalid user credentials. So it's impossible to know when the user is failing the password or the account has pending actions. The reason is KEYCLOAK-5284 which is only related to brute force (temporarily locked users).

The pending actions are checked after the login of the user. If the user typed an invalid password that error is returned, not reaching the actions check. So returning a special message for this case is safe (it will be only returned when the user has correctly logged in).

Assignee:: Unassigned

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2018/10/05 4:21 AM

Updated:: 2018/11/07 3:49 AM

Resolved:: 2018/11/07 3:49 AM

Details

Description

Attachments

Activity

People

Dates