From 26a33409c5cc685e2680853ae7c9863db87ab652 Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Thu, 22 Jan 2026 12:30:52 -0300
Subject: [PATCH] Covering hiding username/email when brute force is enabled
 during identity-first login

Closes #45685

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---
 .../keycloak/testsuite/pages/LoginPage.java   |  4 ++
 .../OrganizationAuthenticationTest.java       | 45 +++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
index 4058afc1fe5..a2680848e83 100755
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
@@ -155,6 +155,10 @@ public class LoginPage extends LanguageComboboxAwarePage {
         return !driver.findElements(By.id("username")).isEmpty();
     }
 
+    public boolean isEmailInputPresent() {
+        return !driver.findElements(By.id("email")).isEmpty();
+    }
+
     public boolean isRegisterLinkPresent() {
         return !driver.findElements(By.linkText("Register")).isEmpty();
     }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java
index 4b1e95cf1cf..42f1c06df00 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java
@@ -311,10 +311,55 @@ public class OrganizationAuthenticationTest extends AbstractOrganizationTest {
         for (int i = 0; i < 3; i++) {
             loginPage.login("wrong-password");
             loginPage.assertAttemptedUsernameAvailability(true);
+            Assert.assertFalse(loginPage.isEmailInputPresent());
             Assert.assertTrue(loginPage.isPasswordInputPresent());
         }
     }
 
+    @Test
+    public void testHideUsernameKeptAfterPasswordFailuresBruteForceEnabled() {
+        testRealm().organizations().get(createOrganization().getId());
+
+        RealmRepresentation realm = testRealm().toRepresentation();
+        realm.setBruteForceProtected(true);
+        realm.setBruteForceStrategy(RealmRepresentation.BruteForceStrategy.MULTIPLE);
+        realm.setFailureFactor(1);
+        realm.setMaxDeltaTimeSeconds(30);
+        realm.setMaxFailureWaitSeconds(30);
+        realm.setWaitIncrementSeconds(30);
+        testRealm().update(realm);
+        getCleanup().addCleanup(() -> {
+            RealmRepresentation r = testRealm().toRepresentation();
+            r.setBruteForceProtected(false);
+            testRealm().update(r);
+        });
+
+        String email = "existing-user@" + organizationName + ".org";
+        createUser(realm.getRealm(), "existing-user", memberPassword, "John", "Doe", email);
+        openIdentityFirstLoginPage(email, false, null, false, false);
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+
+        openIdentityFirstLoginPage(email, false, null, false, false);
+        realm.setRegistrationEmailAsUsername(true);
+        testRealm().update(realm);
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertFalse(loginPage.isEmailInputPresent());
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+        loginPage.login("wrong-password");
+        loginPage.assertAttemptedUsernameAvailability(true);
+        Assert.assertFalse(loginPage.isEmailInputPresent());
+        Assert.assertTrue(loginPage.isPasswordInputPresent());
+    }
+
     @Test
     public void testUsernameExposureWhenEnteringEmail() {
         OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());