Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1628

[GSS] Direct grants returns invalid credentials when user has pending actions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • RH-SSO-7.3-CD04
    • RH-SSO-7.2.4.GA
    • Server
    • None
    • Hide

      Go to the console and add an action to a user (Update Password for example). Then try to login with a valid password using direct grants in the admin-cli:

      curl -X POST 'http://rhsso72.sample.com:8080/auth/realms/master/protocol/openid-connect/token'  -d "username=ricky"  -d 'password=XXXXX'  -d 'grant_type=password'  -d 'client_id=admin-cli'
{"error":"invalid_grant","error_description":"Invalid user credentials"}
      Show
      Go to the console and add an action to a user (Update Password for example). Then try to login with a valid password using direct grants in the admin-cli: curl -X POST 'http://rhsso72.sample.com:8080/auth/realms/master/protocol/openid-connect/token' -d "username=ricky" -d 'password=XXXXX' -d 'grant_type=password' -d 'client_id=admin-cli' {"error":"invalid_grant","error_description":"Invalid user credentials"}

      This change broke the direct grants login when a user has some required actions. Previously the message Account is not fully set up was returned but now it's just a generic Invalid user credentials. So it's impossible to know when the user is failing the password or the account has pending actions. The reason is KEYCLOAK-5284 which is only related to brute force (temporarily locked users).

      The pending actions are checked after the login of the user. If the user typed an invalid password that error is returned, not reaching the actions check. So returning a special message for this case is safe (it will be only returned when the user has correctly logged in).

              Unassigned Unassigned
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: