[keycloak-dev] username guessing

[Michael Gerber]

@Bill
What do you think about this? Do you prefere the "new way" or the old one?

Am 29. Oktober 2015 um 07:15 schrieb Michael Gerber <gerbermichi at me.com>:

You showed in the passt the correct error message only if the user has entered the correct password.

In other words, you can split the userValidation into a pre and post validation, so you have the possibility to show sensitive messages only to authenticated users.

Am 29.10.2015 um 00:42 schrieb Bill Burke <bburke at redhat.com>:

Hmmm...IIRC I kept that there because, if the account is disabled how would the user ever know? This is even more important with a temporarily disabled account.

On 10/28/2015 5:48 PM, Michael Gerber wrote:
Just create a new user, disable it and try to log in with the username and a wrong password.
And you will get the following error message:
Account is disabled, contact admin.


On 28.10.2015, at 20:50, Bill Burke <bburke at redhat.com> wrote:

How is this possible?

On 10/28/2015 10:53 AM, Michael Gerber wrote:
Hi all,

it is possible to guess the username of disabled users.
This was not possible in earlier versions of keycloak. Is this on purpose?

Best
Michael


_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151104/9a1582ed/attachment-0001.html