Hello Hylton, The change was intentional, see this: https://issues.jboss.org/browse/KEYCLOAK-5284 For Keycloak 3.4.1+, you can restore previous behavior by forking pre-3.4.1 ValidateUsername [1], deploying it as a custom authenticator and configuring your client's direct grant flow to use it. Please beware that by doing so you could potentially re-introduce the security issue addressed by KEYCLOAK-5284 (unless of course your client is confidential). [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Sun, 2018-10-28 at 13:24 +0200, Hylton Peimer wrote: