[keycloak-dev] Log username if user is not found?

Stian Thorgersen sthorger at redhat.com
Thu Feb 21 08:05:54 EST 2019

If an invalid username or email is used during login the logs will include
the username.

This could potentially be an issue if a user mistakenly enters his
credentials into the username field. We had this
https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.

Personally I'm not convinced this is a real issue and I'm leaning towards
keeping it as is as having the username available can be useful when
debugging login issues.

Question is should we log the username or not?

More information about the keycloak-dev mailing list