<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>We were testing mobile access scenarios and discovered that we are able to obtain an access token using an AD user with a blank password. Keycloak works as expected if the password parameter is not sent, password sent is correct or password sent is incorrect;
however, when we send a password without a value Keycloak returns an access token. We are using Keycloak 1.4.0.Final. We have confirmed with the issue using two different installations of 1.4.0.Final. We have tested the same scenario with Keycloak 1.3.1.Final
and it works as expected.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><b><span style="font-family: Georgia, serif; color: rgb(160, 11, 16);">Kenyatta Clark<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><b><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);">Principal Engineer, Systems Development<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);">MBO Partners<o:p></o:p></span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);"> </span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><b><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);">t:</span></b><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);"> 703.793.6314</span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><b><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);">w:</span></b><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);"> <a href="http://www.mbopartners.com/" style="color: purple;">www.mbopartners.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><span style="font-family: Georgia, serif; color: rgb(53, 52, 51);"><br>
</span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><img src="cid:3BC34E4D-47BF-4F18-A628-A8098BE79BE3" type="image/png"></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><span style="font-size: 10pt; font-family: Georgia, serif;"> </span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt;"><span style="font-size: 7pt; font-family: Georgia, serif; color: rgb(53, 52, 51);">Notice: This email and any files transmitted with it are confidential. They are intended solely for the
use of the individual addressed. If you have received this email in error please notify <a href="mailto:postmaster@mbopartners.com" style="color: purple;"><span style="color: rgb(53, 52, 51);">postmaster@mbopartners.com</span></a>and permanently delete the
e-mail and files.</span></p>
</div>
<br>
</div>
</div>
</div>
</body>
</html>