[keycloak-dev] https://issues.jboss.org/browse/KEYCLOAK-4251

Wim Vandenhaute wim.vandenhaute at gmail.com
Tue Jul 17 08:35:51 EDT 2018


I had the same issue as described in issue
https://issues.jboss.org/browse/KEYCLOAK-4251 and would like to ask for the
argument of having different behavior for this use case happening from the
browser vs via direct access grants.

I can understand the argument in not wanting to leak too much information
to possible attackers regarding user account status, but at least then this
behavior should be aligned in both situations which is not the case here so
in my opinion the issue is valid.
Either the login form should change or the direct access grant should
change imo

Browser: Username already exists
Direct access grant: "Invalid user credentials"

Thoughts?


More information about the keycloak-dev mailing list