[keycloak-dev] username guessing
Bill Burke
bburke at redhat.com
Wed Oct 28 19:42:47 EDT 2015
Hmmm...IIRC I kept that there because, if the account is disabled how
would the user ever know? This is even more important with a
temporarily disabled account.
On 10/28/2015 5:48 PM, Michael Gerber wrote:
> Just create a new user, disable it and try to log in with the username and a wrong password.
> And you will get the following error message:
> Account is disabled, contact admin.
>
>
>> On 28.10.2015, at 20:50, Bill Burke <bburke at redhat.com> wrote:
>>
>> How is this possible?
>>
>> On 10/28/2015 10:53 AM, Michael Gerber wrote:
>>> Hi all,
>>>
>>> it is possible to guess the username of disabled users.
>>> This was not possible in earlier versions of keycloak. Is this on purpose?
>>>
>>> Best
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list