Maybe we can log username just if it is username of existing user? But
not sure, I would also rather keep as is as it looks more as theoretic
issue. Considering that all browsers support "dots" in the password
field, so user will probably very early recognize that he is trying to
enter password into username field.
Marek
On 21/02/2019 14:05, Stian Thorgersen wrote:
If an invalid username or email is used during login the logs will
include
the username.
This could potentially be an issue if a user mistakenly enters his
credentials into the username field. We had this
https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
Personally I'm not convinced this is a real issue and I'm leaning towards
keeping it as is as having the username available can be useful when
debugging login issues.
Question is should we log the username or not?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev