[keycloak-dev] username guessing
Michael Gerber
gerbermichi at me.com
Wed Oct 28 17:48:36 EDT 2015
Just create a new user, disable it and try to log in with the username and a wrong password.
And you will get the following error message:
Account is disabled, contact admin.
> On 28.10.2015, at 20:50, Bill Burke <bburke at redhat.com> wrote:
>
> How is this possible?
>
> On 10/28/2015 10:53 AM, Michael Gerber wrote:
>> Hi all,
>>
>> it is possible to guess the username of disabled users.
>> This was not possible in earlier versions of keycloak. Is this on purpose?
>>
>> Best
>> Michael
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list