Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2450

The login form shows "Invalid username or password" when exceeding Max login failures

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • RH-SSO-7.6.2
    • Server
    • None
    • False
    • None
    • False
    • Hide

      1. add a new realm
      2. add a user in the realm
      3. navigate to Realm settings > Security defenses > Brute force detection
      4. set "Enabled" to "On"
      5. set "Max login failures" to 1
      6. go to account console (eg, http://localhost:8080/auth/realms/testrealm1/account/), click "Sign in", then enter a correct username with a wrong password.
      7. even entering a right password. Then you will see "Invalid username or password" in the form. Even thouth log message shows:

      15:21:49,173 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=testrealm1, clientId=account-console, userId=456be64c-cb34-4cef-81e2-052d2c807171, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/realms/testrealm1/account/#/personal-info, code_id=66b6de24-3d96-4f61-bb7a-de24d5d0a3d7, username=user1, authSessionParentId=66b6de24-3d96-4f61-bb7a-de24d5d0a3d7, authSessionTabId=n9tcwJzBK2I
      Show
      1. add a new realm 2. add a user in the realm 3. navigate to Realm settings > Security defenses > Brute force detection 4. set "Enabled" to "On" 5. set "Max login failures" to 1 6. go to account console (eg, http://localhost:8080/auth/realms/testrealm1/account/ ), click "Sign in", then enter a correct username with a wrong password. 7. even entering a right password. Then you will see "Invalid username or password" in the form. Even thouth log message shows: 15:21:49,173 WARN [org.keycloak.events] ( default task-6) type=LOGIN_ERROR, realmId=testrealm1, clientId=account-console, userId=456be64c-cb34-4cef-81e2-052d2c807171, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http: //localhost:8080/auth/realms/testrealm1/account/#/personal-info, code_id=66b6de24-3d96-4f61-bb7a-de24d5d0a3d7, username=user1, authSessionParentId=66b6de24-3d96-4f61-bb7a-de24d5d0a3d7, authSessionTabId=n9tcwJzBK2I

    Description

      When a number of login attempts entering a wrong password exceeds Max login failures in Brute force detection, the login form shows "Invalid username or password" instead of "Account is temporarily disabled, contact your administrator or try again later.".

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-hokuda Hisanobu Okuda
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: