[keycloak-dev] failed authentication: USER_CONFLICT
Michael Gerber
gerbermichi at me.com
Fri Oct 16 01:42:02 EDT 2015
I looked a bit more into the code.
And I think you should not set the authenticated user before you have validated the password. Isn't it a bit dangerous if the authenticated user is set even if the entered password is wrong?
> Am 15.10.2015 um 09:26 schrieb Michael Gerber <gerbermichi at me.com>:
>
> Hi all,
>
> I get the following error if I try to log in as user1 with a wrong password and then as user2 with a correct password.
>
> 2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-24) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException
> at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
> at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
>
>
> I think the reason for that is the context.setUser(user) call in the AbstractUsernameFormAuthenticator.validateUser method.
>
> Is this on purpose?
>
> Best
> Michael
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list