credential_type is not set for password logins in LOGIN events
#40.118 aperta il 1 giu 2025
Metriche repository
- Star
- (34.398 star)
- Metriche merge PR
- (Merge medio 6g 19h) (384 PR mergiate in 30 g)
Descrizione
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
Keycloak does not populate credential_type in the LOGIN event for any password-based login – whether the account is local or federated via LDAP – and, furthermore, offers no detail to distinguish between an interactive password entry and an automatic login due to an existing session (cookie authenticator). By contrast, WebAuthnPasswordless logins correctly set credential_type to webauthn-passwordless, and it is also clear from the event details that those are fresh authentications. This lack of information makes it impossible to tell, when consuming user event streams (e.g., for audit logging or downstream processing), whether a user actively entered a password or simply continued an existing session.
Version
2.6.5
Regression
- The issue is a regression
Expected behavior
credential_type should be always populated in the LOGIN event.
Actual behavior
.
How to Reproduce?
.
Anything else?
No response