New non-IdP linked user cannot log in #71
Description
Using the plain old flow works for existing users. Adding a new user (not associated with an IdP) does not seem to allow login when an administrator manually/directly sets credentials.
Aug 15 17:09:56 pdc-auth kc.sh[542]: 2025-08-15 17:09:56,077 WARN [org.keycloak.services] (executor-thread-79) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:1070)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:378)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:349)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:341)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:407)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$authenticateForm_8a5eee1a0ec5f9d46c9be1d4352061fa6806b300.invoke(Unknown Source)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at java.base/java.lang.Thread.run(Thread.java:840)
Aug 15 17:09:56 pdc-auth kc.sh[542]: 2025-08-15 17:09:56,080 WARN [org.keycloak.events] (executor-thread-79) type="LOGIN_ERROR", realmId="[redacted]", realmName="pdc", clientId="pdc-openapi-docs", userId="null", ipAddress="[redacted]", error="invalid_user_credentials", auth_method="openid-connect", auth_type="code", redirect_uri="https://api.philanthropydatacommons.org/oauth2-redirect.html", code_id="[redacted]"
I don't see any difference in what is submitted in the login form for a successful vs unsuccessful login (i.e. the username might usually be null).
This is only true for the custom PDC realm, not the master realm.