[keycloak-dev] Log username if user is not found?
mposolda at redhat.com
Thu Feb 21 08:30:42 EST 2019
Maybe we can log username just if it is username of existing user? But
not sure, I would also rather keep as is as it looks more as theoretic
issue. Considering that all browsers support "dots" in the password
field, so user will probably very early recognize that he is trying to
enter password into username field.
On 21/02/2019 14:05, Stian Thorgersen wrote:
> If an invalid username or email is used during login the logs will include
> the username.
> This could potentially be an issue if a user mistakenly enters his
> credentials into the username field. We had this
> https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
> Personally I'm not convinced this is a real issue and I'm leaning towards
> keeping it as is as having the username available can be useful when
> debugging login issues.
> Question is should we log the username or not?
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev