[keycloak-dev] username guessing
Michael Gerber
gerbermichi at me.com
Thu Oct 29 02:14:05 EDT 2015
You showed in the passt the correct error message only if the user has entered the correct password.
In other words, you can split the userValidation into a pre and post validation, so you have the possibility to show sensitive messages only to authenticated users.
> Am 29.10.2015 um 00:42 schrieb Bill Burke <bburke at redhat.com>:
>
> Hmmm...IIRC I kept that there because, if the account is disabled how would the user ever know? This is even more important with a temporarily disabled account.
>
>> On 10/28/2015 5:48 PM, Michael Gerber wrote:
>> Just create a new user, disable it and try to log in with the username and a wrong password.
>> And you will get the following error message:
>> Account is disabled, contact admin.
>>
>>
>>> On 28.10.2015, at 20:50, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> How is this possible?
>>>
>>>> On 10/28/2015 10:53 AM, Michael Gerber wrote:
>>>> Hi all,
>>>>
>>>> it is possible to guess the username of disabled users.
>>>> This was not possible in earlier versions of keycloak. Is this on purpose?
>>>>
>>>> Best
>>>> Michael
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
More information about the keycloak-dev
mailing list