We were testing mobile access scenarios and discovered that we are able to obtain an access token using an AD user with a blank password. Keycloak works as expected if the password parameter is not sent, password sent is correct or password sent is incorrect; however, when we send a password without a value Keycloak returns an access token. We are using Keycloak 1.4.0.Final. We have confirmed with the issue using two different installations of 1.4.0.Final. We have tested the same scenario with Keycloak 1.3.1.Final and it works as expected. *Kenyatta Clark* *Principal Engineer, Systems Development* MBO Partners *t:* 703.793.6314 *w:*www.mbopartners.com <http://www.mbopartners.com/> Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster(a)mbopartners.com <mailto:postmaster@mbopartners.com>and permanently delete the e-mail and files. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user