Covering hiding username/email when brute force is enabled during identity-first login

Closes #45685 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-03 20:39:33 -05:00 · 2026-01-22 12:30:52 -03:00 · 2026-01-22 12:30:52 -03:00 · 26a33409c5
commit 26a33409c5
parent aecd677e12
2 changed files with 49 additions and 0 deletions
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
@ -155,6 +155,10 @@ public class LoginPage extends LanguageComboboxAwarePage {
        return !driver.findElements(By.id("username")).isEmpty();
    }

+    public boolean isEmailInputPresent() {
+        return !driver.findElements(By.id("email")).isEmpty();
+    }
+
    public boolean isRegisterLinkPresent() {
        return !driver.findElements(By.linkText("Register")).isEmpty();
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java
@ -311,10 +311,55 @@ public class OrganizationAuthenticationTest extends AbstractOrganizationTest {
        for (int i = 0; i < 3; i++) {
            loginPage.login("wrong-password");
            loginPage.assertAttemptedUsernameAvailability(true);
+            Assert.assertFalse(loginPage.isEmailInputPresent());
            Assert.assertTrue(loginPage.isPasswordInputPresent());
        }
    }

+    @Test
+    public void testHideUsernameKeptAfterPasswordFailuresBruteForceEnabled() {
+        testRealm().organizations().get(createOrganization().getId());
+
+        RealmRepresentation realm = testRealm().toRepresentation();
+        realm.setBruteForceProtected(true);
+        realm.setBruteForceStrategy(RealmRepresentation.BruteForceStrategy.MULTIPLE);
+        realm.setFailureFactor(1);
+        realm.setMaxDeltaTimeSeconds(30);
+        realm.setMaxFailureWaitSeconds(30);
+        realm.setWaitIncrementSeconds(30);
+        testRealm().update(realm);
+        getCleanup().addCleanup(() -> {
+            RealmRepresentation r = testRealm().toRepresentation();
+            r.setBruteForceProtected(false);
+            testRealm().update(r);
+        });
+
+        String email = "existing-user@" + organizationName + ".org";
+        createUser(realm.getRealm(), "existing-user", memberPassword, "John", "Doe", email);
+        openIdentityFirstLoginPage(email, false, null, false, false);
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+
+        openIdentityFirstLoginPage(email, false, null, false, false);
+        realm.setRegistrationEmailAsUsername(true);
+        testRealm().update(realm);
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertFalse(loginPage.isEmailInputPresent());
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertFalse(loginPage.isEmailInputPresent());
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+    }
+
    @Test
    public void testUsernameExposureWhenEnteringEmail() {
        OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());