[keycloak-user] Temporarily Locked response from openid-connect
Dmitry Telegin
dt at acutus.pro
Sun Oct 28 17:22:46 EDT 2018
Hello Hylton,
The change was intentional, see this: https://issues.jboss.org/browse/KEYCLOAK-5284
For Keycloak 3.4.1+, you can restore previous behavior by forking pre-3.4.1 ValidateUsername [1], deploying it as a custom authenticator and configuring your client's direct grant flow to use it.
Please beware that by doing so you could potentially re-introduce the security issue addressed by KEYCLOAK-5284 (unless of course your client is confidential).
[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Sun, 2018-10-28 at 13:24 +0200, Hylton Peimer wrote:
> We have a user that is Temporarily Locked due to incorrect password entry.
>
> When attempting to get the access/refresh token from the openid-connect
> endpoint: /protocol/openid-connect/token
> with grant_type=password, we receive the following error message:
>
> Http Status: 401
>
> {
> "error": "invalid_grant",
> "error_description": "Invalid user credentials"
> }
>
> In a previous version we received a message that indicated the user was
> Locked.
>
> Is there another way to get this information in response to token request?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list