[keycloak-dev] failed authentication: USER_CONFLICT

Michael Gerber gerbermichi at me.com
Fri Oct 16 01:42:02 EDT 2015


I looked a bit more into the code.
And I think you should not set the authenticated user before you have validated the password.  Isn't it a bit dangerous if the authenticated user is set even if the entered password is wrong?

> Am 15.10.2015 um 09:26 schrieb Michael Gerber <gerbermichi at me.com>:
> 
> Hi all,
> 
> I get the following error if I try to log in as user1 with a wrong password and then as user2 with a correct password.
> 
> 2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-24) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException
> 	at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
> 	at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
> 
> 
> I think the reason for that is the context.setUser(user) call in the AbstractUsernameFormAuthenticator.validateUser method.
> 
> Is this on purpose?
> 
> Best
> Michael
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list