We were testing mobile access scenarios and discovered
that we are able to obtain an access token using an AD user
with a blank password. Keycloak works as expected if the
password parameter is not sent, password sent is correct or
password sent is incorrect; however, when we send a password
without a value Keycloak returns an access token. We are
using Keycloak 1.4.0.Final. We have confirmed with the
issue using two different installations of 1.4.0.Final. We
have tested the same scenario with Keycloak 1.3.1.Final and
it works as expected.
Kenyatta Clark
Principal Engineer,
Systems Development
MBO Partners
t: 703.793.6314
Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster@mbopartners.comand permanently delete the e-mail and files.
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user