We were testing mobile access scenarios and discovered that we are able to obtain an access token using an AD user with a blank password.  Keycloak works as expected if the password parameter is not sent, password sent is correct or password sent is incorrect; however, when we send a password without a value Keycloak returns an access token.  We are using Keycloak 1.4.0.Final.  We have confirmed with the issue using two different installations of 1.4.0.Final.  We have tested the same scenario with Keycloak 1.3.1.Final and it works as expected.