credential_type is not set for password logins in LOGIN events
#40 118 ouverte le 1 juin 2025
Métriques du dépôt
- Stars
- (34 398 stars)
- Métriques de merge PR
- (Merge moyen 6j 19h) (384 PRs mergées en 30 j)
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
Keycloak does not populate credential_type in the LOGIN event for any password-based login – whether the account is local or federated via LDAP – and, furthermore, offers no detail to distinguish between an interactive password entry and an automatic login due to an existing session (cookie authenticator). By contrast, WebAuthnPasswordless logins correctly set credential_type to webauthn-passwordless, and it is also clear from the event details that those are fresh authentications. This lack of information makes it impossible to tell, when consuming user event streams (e.g., for audit logging or downstream processing), whether a user actively entered a password or simply continued an existing session.
Version
2.6.5
Regression
- The issue is a regression
Expected behavior
credential_type should be always populated in the LOGIN event.
Actual behavior
.
How to Reproduce?
.
Anything else?
No response