Tuyen Nguyen The created GTNPORTAL-3592: ------------------------------------------- Summary: Can login to root after try login to disabled user via OAuth Key: GTNPORTAL-3592 URL: https://issues.jboss.org/browse/GTNPORTAL-3592 Project: GateIn Portal Issue Type: Bug Reporter: Tuyen Nguyen The Assignee: Tuyen Nguyen The Step to reproduce: - Enable oauth following [this docs|https://docs.jboss.org/author/display/GTNPORTAL36/OAuth+-+Authentica...] - Start gatein - Register new account with Facebook (new username is "gatein") - New user is created and logged in => OK - Sign out user then login to root - Go to User Management then disable the created user (user "gatein") - Sign out root - Click on login link then choose login with Facebook (use the facebook account which used to create "gatein" user) - User will be redirect to login page with message "gatein Sign in failed. User is disabled." => OK - Now, enter root and random password to login form in this login page then submit form - User root is logged in => NOK The root caused is in OauthLoginModule, we only check if there is user mapped with oauth in AuthenticationRegistry then we will return true => It marks username/password is correct (even other login module return false) -- This message was sent by Atlassian JIRA (v6.3.15#6346)