<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top"><span style="font-family: sans-serif;" id="yMail_cursorElementTracker_0.9183192832861096">Sorry version is 1.5.0 final</span><div><font face="sans-serif" id="yMail_cursorElementTracker_0.20773715269751847"><br></font> <hr><table cellspacing="0" cellpadding="0" border="0"> <tbody> <tr> <td valign="top"> <div style="font-family:Roboto, sans-serif;color:#7e7d80;"><b>Da</b>:"Stian Thorgersen" <sthorger@redhat.com><br><b>Data</b>:ven, 6 nov, 2015 alle 13:58<br><b>Oggetto</b>:Re: [keycloak-user] Bug on consecutive logins after a wrong password<br><br></div> <div dir="ltr">What version?</div><div class="gmail_extra"><br clear="none"><div class="gmail_quote">On 6 November 2015 at 13:50, alex orl <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:alex_orl1079@yahoo.it" target="_blank" href="javascript:return">alex_orl1079@yahoo.it</a>></span> wrote:<br
clear="none"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="yQTDBase yqt0412279165" id="yqt08842"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;"><div>Hi to all.</div><div>Probably i catched a bug in the keycloak authentication flow.</div><div>This is my user case:</div><div>Configuration:</div><div>1) I've created a new realm, say "TestRealm"</div><div>2) I've created 1 role: "testRole"</div><div>3) I've created 2 users: "userTest1" and "userTest2"</div><div>4) In the role mapping tab of each user i've assigned "testRole" to both of them</div><div>5) In the credential tab of each user i've changed their pwd</div><div><br clear="none"></div><div>Use case:</div><div>1) I try to access the account application from: <a rel="nofollow" shape="rect" target="_blank"
href="https://localhost:8444/auth/realms/PROVA/account/" style="background-color:rgb(255,255,255);">https://localhost:8444/auth/realms/TestRealm/account/</a></div><div>2) I insert username: userTest1</div><div dir="ltr"> pwd: (a wrong password)</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Login page displays a tooltip saying "invalid username or password"</div><div dir="ltr"><br clear="none"></div><div dir="ltr">3) Withouth any page refreshing i try to login again with second user:</div><div dir="ltr"> username: userTest2:</div><div dir="ltr"> pwd: (whatever right or wrong password)</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Keycloak catch an exception:</div><div dir="ltr">The page displays:</div><div>
<div>
<div>
<div> We're <strong>sorry</strong> ...
</div>
</div>
<div>
<div></div>
</div>
<div>
<div>
<div>
<div>
<div>
<div> Invalid username or password.</div>
<div dir="ltr"> << Back to Application</div>
</div>
</div>
</div>
</div>
</div>
</div></div><div dir="ltr"><br clear="none"></div><div dir="ltr">Keycloak console displays this exception:</div><div dir="ltr">13:35:27,343 WARN [org.keycloak.events] (default task-62) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=<a rel="nofollow" shape="rect" target="_blank" href="https://localhost:8444/auth/realms/PROVA/account/login-redirect">https://localhost:8444/auth/realms/PROVA/account/login-redirect</a>, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest</div><div dir="ltr">13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-72) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334)</div><div
dir="ltr"><span style="white-space:pre-wrap;"> </span>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at java.lang.reflect.Method.invoke(Method.java:497)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div><div dir="ltr"><span
style="white-space:pre-wrap;"> </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div dir="ltr"><span style="white-space:pre-wrap;"> </span>at java.lang.Thread.run(Thread.java:745)</div><div dir="ltr"><br
clear="none"></div><div dir="ltr">13:35:33,819 WARN [org.keycloak.events] (default task-72) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=<a rel="nofollow" shape="rect" target="_blank" href="https://localhost:8444/auth/realms/PROVA/account/login-redirect">https://localhost:8444/auth/realms/PROVA/account/login-redirect</a>, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2</div><div dir="ltr"><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr">I experienced this error while debugging my custom user federation provider. So i tried to replicate it with a clean situation like described in the use case above.</div><div dir="ltr">Debugging my userfederation provider i could realize the real authentication flow:</div><div dir="ltr"><br clear="none"></div><div
dir="ltr">When userTest1 logs in the flow starts from:</div><div dir="ltr"><br clear="none"></div><div dir="ltr">UsernamePasswordForm.action() ---> validateUser ---> ----> UserFederationProvider.isValid() ----> ... ... ... ---> UsernamePasswordForm.validatePassword() ----> authenticate <br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr">When userTest2 logs in after userTest1 failure the flow starts from the UserFederationProvider.isValid():</div><div dir="ltr"><br clear="none"></div><div dir="ltr">UserFederationProvider.isValid() (the AuthenticationFlowContext user is still userTest1 )---> ... ----> UsernamePasswordForm.action() ---> validateUser ---> ----> UserFederationProvider.isValid() ----> ... ... ... --->Exception on Context.set(user).<br clear="none"></div><div dir="ltr">It seems like Context is not cleaned after the first wrong login attempt, bringing with itself
the userTest1 user object on the second one. So when keycloak tries to set the new user object catches a USERCONFLICT exception.</div><div dir="ltr"><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr"><br clear="none"></div></div></div></div><br clear="none">_______________________________________________<br clear="none">
keycloak-user mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="javascript:return">keycloak-user@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none"></blockquote></div><br clear="none"></div></td> </tr> </tbody> </table></div></td></tr></table>