[keycloak-dev] Log username if user is not found?

Marek Posolda mposolda at redhat.com
Thu Feb 21 08:30:42 EST 2019

Maybe we can log username just if it is username of existing user? But 
not sure, I would also rather keep as is as it looks more as theoretic 
issue. Considering that all browsers support "dots" in the password 
field, so user will probably very early recognize that he is trying to 
enter password into username field.


On 21/02/2019 14:05, Stian Thorgersen wrote:
> If an invalid username or email is used during login the logs will include
> the username.
> This could potentially be an issue if a user mistakenly enters his
> credentials into the username field. We had this
> https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
> Personally I'm not convinced this is a real issue and I'm leaning towards
> keeping it as is as having the username available can be useful when
> debugging login issues.
> Question is should we log the username or not?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list