[keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Gregoire Jeanmart Gregoire.Jeanmart at ai-london.com
Tue Jun 6 04:36:42 EDT 2017 

OK Will do. Thanks.

Best regards

Gregoire Jeanmart

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: 06 June 2017 09:31
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>
Cc: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

I can reproduce this, please open a JIRA.

On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>> wrote:
Hello Marek,

Thank you for your response. I don't know if it's an environment issue.

I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1) installed on a Linux CentOS and Windows Server OS, even a fresh install and I still getting the issue.

Please find below the steps to reproduce the bug:
1. Update a user by adding "Update Password" as Required User Actions

2. Login with this user (in my case "test123"). When you click on submit, Keycloak should redirect to the Change Password screen

3. I enter the new password (twice) and click on submit
Screenshot: http://imgur.com/a/ueCxU
As you can see on the screenshot, the browser (both GoogleChrome or Firefox latest version) try to store "This is not a login form"

I found this in the Keycloak source code: [ https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/login-update-password.ftl ]
<form id="kc-passwd-update-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
            <input type="text" readonly value="this is not a login form" style="display: none;">
            <input type="password" readonly value="this is not a login form" style="display: none;">

            <div class="${properties.kcFormGroupClass!}">
                <div class="${properties.kcLabelWrapperClass!}">
                    <label for="password-new" class="${properties.kcLabelClass!}">${msg("passwordNew")}</label>
                </div>
                <div class="${properties.kcInputWrapperClass!}">
                    <input type="password" id="password-new" name="password-new" class="${properties.kcInputClass!}" autofocus autocomplete="off" />
                </div>
            </div>
         (...)

It looks like this code is interpreted by the browser and is being store in the Password vault.

I will considerer your suggestion and raise a JIRA issue.

Best regards,

Gregoire Jeanmart

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com<mailto:mposolda at redhat.com>]
Sent: 05 June 2017 08:58
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Hi,

This seem like the environment specific issue. I never saw this.

It seems that it happens under some special circumstances (eg. specific browser with some specific browser plugins enabled etc). Feel free to create JIRA if you manage to figure some more details how to reproduce it.

Marek

On 05/06/17 09:33, Gregoire Jeanmart wrote:
> Hello,
> Sorry for chasing up. Does anybody face the same problem?
> Thanks,
> ________________________________________
> From: Gregoire Jeanmart
> Sent: 31 May 2017 18:36
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Browser tries to store the username "This is not a login
> form" after updating a temporary password
>
> Hello,
> One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly.
>
> Is there a way to fix this issue ?
>
> Information:
> - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> - Browser: Google Chrome and Mozilla Firefox
> - Similar issue:
> https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> is-being-stored-when-updating-a-password-in-keycloak
>
> Thanks in advance.
>
> Gregoire Jeanmart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list