Details
diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java
index bfad107..736acc3 100755
--- a/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java
@@ -45,4 +45,11 @@ public interface ValidationContext extends FormContext {
*
*/
void success();
+
+ /**
+ * The error messages of this current validation will take precedence over any others. Other error messages will not
+ * be shown. This is useful to prevent validation from leaking to an attacker. For example, the recaptcha validator
+ * calls this method so that usernames cannot be phished
+ */
+ void excludeOtherErrors();
}
diff --git a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
index 0a9fc07..8e6df0a 100755
--- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
+++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
@@ -138,6 +138,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
private class ValidationContextImpl extends FormContextImpl implements ValidationContext {
FormAction action;
String error;
+ boolean excludeOthers;
private ValidationContextImpl(AuthenticationExecutionModel executionModel, FormAction action) {
super(executionModel);
@@ -161,6 +162,11 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
public void success() {
success = true;
}
+
+ @Override
+ public void excludeOtherErrors() {
+ excludeOthers = true;
+ }
}
@Override
@@ -222,8 +228,17 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
for (ValidationContextImpl v : errors) {
for (FormMessage m : v.errors) {
if (!fields.contains(m.getField())) {
+ if (v.excludeOthers) {
+ fields.clear();
+ messages.clear();
+ }
+
fields.add(m.getField());
messages.add(m);
+
+ if (v.excludeOthers) {
+ break;
+ }
}
}
}
diff --git a/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java b/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java
index 28747e0..8e65450 100755
--- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java
+++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java
@@ -127,6 +127,7 @@ public class RegistrationRecaptcha implements FormAction, FormActionFactory, Con
formData.remove(G_RECAPTCHA_RESPONSE);
context.error(Errors.INVALID_REGISTRATION);
context.validationError(formData, errors);
+ context.excludeOtherErrors();
return;
