keycloak/keycloak

credential_type is not set for password logins in LOGIN events

Open

#40.118 aperta il 1 giu 2025

Vedi su GitHub
 (7 commenti) (1 reazione) (0 assegnatari)Java (8346 fork)batch import
area/authenticationhelp wantedkind/enhancementpriority/normalstatus/auto-bumpstatus/auto-expirestatus/expired-by-botteam/core-authn

Metriche repository

Star
 (34.398 star)
Metriche merge PR
 (Merge medio 6g 19h) (384 PR mergiate in 30 g)

Descrizione

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Keycloak does not populate credential_type in the LOGIN event for any password-based login – whether the account is local or federated via LDAP – and, furthermore, offers no detail to distinguish between an interactive password entry and an automatic login due to an existing session (cookie authenticator). By contrast, WebAuthnPasswordless logins correctly set credential_type to webauthn-passwordless, and it is also clear from the event details that those are fresh authentications. This lack of information makes it impossible to tell, when consuming user event streams (e.g., for audit logging or downstream processing), whether a user actively entered a password or simply continued an existing session.

Version

2.6.5

Regression

  • The issue is a regression

Expected behavior

credential_type should be always populated in the LOGIN event.

Actual behavior

.

How to Reproduce?

.

Anything else?

No response

Guida contributor