[keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Sebastien Blanc sblanc at redhat.com
Tue Jun 6 04:30:55 EDT 2017 

I can reproduce this, please open a JIRA.

On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <
Gregoire.Jeanmart at ai-london.com> wrote:

> Hello Marek,
>
> Thank you for your response. I don't know if it's an environment issue.
>
> I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1)
> installed on a Linux CentOS and Windows Server OS, even a fresh install and
> I still getting the issue.
>
> Please find below the steps to reproduce the bug:
> 1. Update a user by adding "Update Password" as Required User Actions
>
> 2. Login with this user (in my case "test123"). When you click on submit,
> Keycloak should redirect to the Change Password screen
>
> 3. I enter the new password (twice) and click on submit
> Screenshot: http://imgur.com/a/ueCxU
> As you can see on the screenshot, the browser (both GoogleChrome or
> Firefox latest version) try to store "This is not a login form"
>
> I found this in the Keycloak source code: [ https://github.com/keycloak/
> keycloak/blob/master/themes/src/main/resources/theme/base/
> login/login-update-password.ftl ]
> <form id="kc-passwd-update-form" class="${properties.kcFormClass!}"
> action="${url.loginAction}" method="post">
>             <input type="text" readonly value="this is not a login form"
> style="display: none;">
>             <input type="password" readonly value="this is not a login
> form" style="display: none;">
>
>             <div class="${properties.kcFormGroupClass!}">
>                 <div class="${properties.kcLabelWrapperClass!}">
>                     <label for="password-new" class="${properties.
> kcLabelClass!}">${msg("passwordNew")}</label>
>                 </div>
>                 <div class="${properties.kcInputWrapperClass!}">
>                     <input type="password" id="password-new"
> name="password-new" class="${properties.kcInputClass!}" autofocus
> autocomplete="off" />
>                 </div>
>             </div>
>          (...)
>
> It looks like this code is interpreted by the browser and is being store
> in the Password vault.
>
> I will considerer your suggestion and raise a JIRA issue.
>
> Best regards,
>
> Gregoire Jeanmart
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: 05 June 2017 08:58
> To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>;
> keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Browser tries to store the username "This is
> not a login form" after updating a temporary password
>
> Hi,
>
> This seem like the environment specific issue. I never saw this.
>
> It seems that it happens under some special circumstances (eg. specific
> browser with some specific browser plugins enabled etc). Feel free to
> create JIRA if you manage to figure some more details how to reproduce it.
>
> Marek
>
> On 05/06/17 09:33, Gregoire Jeanmart wrote:
> > Hello,
> > Sorry for chasing up. Does anybody face the same problem?
> > Thanks,
> > ________________________________________
> > From: Gregoire Jeanmart
> > Sent: 31 May 2017 18:36
> > To: keycloak-user at lists.jboss.org
> > Subject: Browser tries to store the username "This is not a login
> > form" after updating a temporary password
> >
> > Hello,
> > One of my users raised an issue after he has been asked to change his
> password [action: Update password]. The browser asked him to store a couple
> username/password equals to "This is not a login form" / %new password%
> [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour
> isn't accepted by my users as it is very unusual and not user friendly.
> >
> > Is there a way to fix this issue ?
> >
> > Information:
> > - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> > - Browser: Google Chrome and Mozilla Firefox
> > - Similar issue:
> > https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> > is-being-stored-when-updating-a-password-in-keycloak
> >
> > Thanks in advance.
> >
> > Gregoire Jeanmart
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list