[keycloak-dev] failed authentication: USER_CONFLICT
Marek Posolda
mposolda at redhat.com
Fri Oct 16 02:54:11 EDT 2015
+1, anyway it looks like a bug considering the scenario you described.
Feel free to create JIRA.
Marek
On 16/10/15 07:42, Michael Gerber wrote:
> I looked a bit more into the code.
> And I think you should not set the authenticated user before you have validated the password. Isn't it a bit dangerous if the authenticated user is set even if the entered password is wrong?
>
>> Am 15.10.2015 um 09:26 schrieb Michael Gerber <gerbermichi at me.com>:
>>
>> Hi all,
>>
>> I get the following error if I try to log in as user1 with a wrong password and then as user2 with a correct password.
>>
>> 2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-24) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException
>> at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
>> at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332) [keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
>>
>>
>> I think the reason for that is the context.setUser(user) call in the AbstractUsernameFormAuthenticator.validateUser method.
>>
>> Is this on purpose?
>>
>> Best
>> Michael
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list