Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login #43091

New issue
New issue
Closed
bug
#43616
Closed
Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login#43091
bug
#43616
Assignees
pedroigor
Labels
area/login/uiarea/organizationsbackport/26.4kind/bugCategorizes a PR related to a bugpriority/blockerHighest Priority. Has a deadline and it blocks other tasksrelease/26.5.0
Milestone
26.5.0
@reedpatterson

Description

@reedpatterson
reedpatterson
opened on Sep 30, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

When an account is temporarily locked on a realm with Organization Identity-First Login execution, attempting to login results in a form with two email fields. The first field is disabled with a "Restart Login" button; the second field allows input.

Image

I would speculate that the second field should not be there at all. Regardless of if the user attempts to sign into their account with the correct password or a different account altogether, login fails, so there is no reason to have an email that takes input on this form.

Image

Version

26.4

Regression

  • The issue is a regression

Expected behavior

Given the behavior of the keycloak login form as it is now, I would expect one disabled email field with a "restart login" button.

If the user decided for whatever reason that they had the wrong username/email, they would need to utilize the restart login button to proceed with their attempts to log into another account.

Actual behavior

The user is taken to a form with two email fields, one disabled and one that takes input. The field that takes input is a bit misleading, however, because the user will be unable to successfully login from that form.

Hypothetically, If the user typos their way to this double-email form, they will see the following:

Image

The presence of an email field that takes input and a password field will imply to the user that they will be able to login with their correct credentials from this point, but that is not the case; they will instead be met with an "Invalid username or password" validation message.

How to Reproduce?

  1. In Authentication Settings, bind a browser flow with Organization Identity-First Login execution.
    2)) In Realm Settings -> Security Defenses, enable Lockout Temporarily Brute Force Detection (and lower max login failures from default 1000)
  2. Trigger temporary lockout and attempt to login

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/login/uiarea/organizationsbackport/26.4kind/bugCategorizes a PR related to a bugpriority/blockerHighest Priority. Has a deadline and it blocks other tasksrelease/26.5.0

Type

bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions