I had the same issue as described in issue
https://issues.jboss.org/browse/KEYCLOAK-4251 and would like to ask for the
argument of having different behavior for this use case happening from the
browser vs via direct access grants.
I can understand the argument in not wanting to leak too much information
to possible attackers regarding user account status, but at least then this
behavior should be aligned in both situations which is not the case here so
in my opinion the issue is valid.
Either the login form should change or the direct access grant should
change imo
Browser: Username already exists
Direct access grant: "Invalid user credentials"
Thoughts?