Re: [keycloak-dev] failed authentication: USER_CONFLICT
I looked a bit more into the code.
And I think you should not set the authenticated user before you have validated the
password. Isn't it a bit dangerous if the authenticated user is set even if the
entered password is wrong?
Am 15.10.2015 um 09:26 schrieb Michael Gerber
<gerbermichi(a)me.com>:
Hi all,
I get the following error if I try to log in as user1 with a wrong password and then as
user2 with a correct password.
2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor]
(default task-24) failed authentication: USER_CONFLICT:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
at
org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
I think the reason for that is the context.setUser(user) call in the
AbstractUsernameFormAuthenticator.validateUser method.
Is this on purpose?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev