Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

The method AbstractUsernameFormAuthenticator.validateUserAndPassword executes validatePassword(...) before validateUser(...). This occurs in the Authentication code flow username/password flow (browser form).

In contrast, the direct grant / token endpoint flow runs the ValidateUsername authenticator before ValidatePassword, so the username/enablement checks run before password verification.

Result: For a disabled account where the user also submits an incorrect password, the error returned to the client differs between flows (Authentication code flow vs direct grant), because the Authentication code flow runs password validation first and may return a bad-credentials-type response (or clear the user) while direct grant returns the account-disabled response. This inconsistency impacts error messaging and client behavior.

Version

26.5

Regression

• The issue is a regression

Expected behavior

Authentication code flow and direct grand return a different error when a user is disabled and a bad password is used.

Actual behavior

Authentication code flow and direct grand should return the same error when a user is disabled and a bad password is used.

How to Reproduce?

1. User account is disabled.
2. User submits login with wrong password:
   Authentication code flow (browser username/password): validatePassword executes first -> different error shown (e.g. invalid credentials or different challenge) and the disabled-account error from validateUser is not the one returned.
   Direct grant: ValidateUsername / validateUser executes first -> account disabled error returned.

Anything else?

No response