diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java index eac2558b0b..815c19e06b 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java @@ -186,11 +186,19 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap inputData) { List credentials = new LinkedList<>(); String password = inputData.getFirst(CredentialRepresentation.PASSWORD); - credentials.add(UserCredentialModel.password(password)); + if (password == null || password.isEmpty()) { + context.getEvent().user(user); + context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); + Response challengeResponse = challenge(context, Messages.INVALID_USER); + context.forceChallenge(challengeResponse); + context.clearUser(); + return false; + } if (isTemporarilyDisabledByBruteForce(context, user)) return false; - if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) { + credentials.add(UserCredentialModel.password(password)); + if (context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) { return true; } else { context.getEvent().user(user); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java index 5ccb869c3c..ad93f416ae 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java @@ -362,17 +362,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest { clearAllUserFailures(); } - @Test - public void testBrowserMissingPassword() throws Exception { - loginSuccess(); - loginMissingPassword(); - loginMissingPassword(); - expectTemporarilyDisabled(); - expectTemporarilyDisabled("test-user@localhost", null, "invalid"); - clearUserFailures(); - loginSuccess(); - } - @Test public void testBrowserInvalidTotp() throws Exception { loginSuccess();