Hi, Due to some legacy we have to use (jaas) direct access grants and that’s actually working really well until the account get’s a required action, such as update password, verify email, … Before keycloak 3.4.1 if the credentials are ok we get a 400 response with ‘Account is not fully setup’, but without any details on what actually is the required action. As per “KEYCLOAK-5284: Information disclosure when brute force detection is on using the token endpoint” (1) this behavior has changed and apparently there is no feedback anymore even though the credentials itself are ok. How should we now detect ‘required actions’ to be performed if we can’t even tell the difference anymore between invalid credentials and required actions to be completed. Why is brute force detection done like this when there actually is a brute force detection setting in the realm which by default is switched off? 1. https://issues.jboss.org/browse/KEYCLOAK-5284 Thanks very much. Jeroen Muis