[keycloak-user] Able To Access Token Without Using Password

Marek Posolda mposolda at redhat.com
Fri Sep 4 06:23:15 EDT 2015

Thanks for pointing this. Will be fixed in 1.5.0.


On 04/09/15 04:08, Kenyatta Clark wrote:
> We were testing mobile access scenarios and discovered that we are 
> able to obtain an access token using an AD user with a blank password. 
>  Keycloak works as expected if the password parameter is not sent, 
> password sent is correct or password sent is incorrect; however, when 
> we send a password without a value Keycloak returns an access token. 
>  We are using Keycloak 1.4.0.Final.  We have confirmed with the issue 
> using two different installations of 1.4.0.Final.  We have tested the 
> same scenario with Keycloak 1.3.1.Final and it works as expected.
> *Kenyatta Clark*
> *Principal Engineer, Systems Development*
> MBO Partners
> *t:* 703.793.6314
> *w:*www.mbopartners.com <http://www.mbopartners.com/>
> Notice: This email and any files transmitted with it are confidential. 
> They are intended solely for the use of the individual addressed.  If 
> you have received this email in error please notify 
> postmaster at mbopartners.com <mailto:postmaster at mbopartners.com>and 
> permanently delete the e-mail and files.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 10866 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.png 

More information about the keycloak-user mailing list