[keycloak-user] Able To Access Token Without Using Password
Marek Posolda
mposolda at redhat.com
Fri Sep 4 06:23:15 EDT 2015
Thanks for pointing this. Will be fixed in 1.5.0.
Marek
On 04/09/15 04:08, Kenyatta Clark wrote:
> We were testing mobile access scenarios and discovered that we are
> able to obtain an access token using an AD user with a blank password.
> Keycloak works as expected if the password parameter is not sent,
> password sent is correct or password sent is incorrect; however, when
> we send a password without a value Keycloak returns an access token.
> We are using Keycloak 1.4.0.Final. We have confirmed with the issue
> using two different installations of 1.4.0.Final. We have tested the
> same scenario with Keycloak 1.3.1.Final and it works as expected.
>
>
> *Kenyatta Clark*
>
> *Principal Engineer, Systems Development*
>
> MBO Partners
>
> *t:* 703.793.6314
>
> *w:*www.mbopartners.com <http://www.mbopartners.com/>
>
>
> Notice: This email and any files transmitted with it are confidential.
> They are intended solely for the use of the individual addressed. If
> you have received this email in error please notify
> postmaster at mbopartners.com <mailto:postmaster at mbopartners.com>and
> permanently delete the e-mail and files.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 10866 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.png
More information about the keycloak-user
mailing list