• It seems to me that authentication session is not removed. See other occurences below in the same method, which clears authentication session for some error scenarios. : DONE

• It also seems to me that error event is not thrown. See all other errors handled inside ResourceOwnerPasswordCredentialsGrantType and how are they creating an error event. Will be also good the event in the test method you added. : DONE

• I think that for service-account user, the status, error and error_description returned should be exactly the same like for unknown user. This is to avoid the possibility for "user enumeration" . However there might be the difference in the error event as the error event is supposed to be consumed by administrator, so it can be useful if administrator knows that someone tried to authenticate service account : I am not sure if I follow completely what you said maybe can you elaborate a little bit more

@mposolda

@keshavprashantdeshpande Thanks for the updated PR!

For the last paragraph: It will be good to avoid "user enumeration" . This is kind of attack, which allows potential attacker to figure what are the valid usernames on the server or valid service-accounts on the server. In case that there are different error messages for those cases:

• Username not found
• Username found, but password is incorrect
• Username found, but it is a service account

Then attacker would know that he successfully guessed some valid username (or valid service-account username). Hence it is good to make sure that there are same error messages for those cases.

When looking at this, it seems to me that it can be better to avoid doing any changes in the ResourceOwnerPasswordCredentialsGrant class, but maybe handle this in the layer of ValidateUsername class? Perhaps for example somewhere here https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java#L81 , it might be possible to add something like this:

        if (user.getServiceAccountClientLink() != null) {
            AuthenticatorUtils.dummyHash(context);
           context.getEvent().detail(Details.REASON, "User is a service account");
            context.getEvent().error(Errors.INVALID_USER); (maybe this constant will need to be introduced to the `Errors` class)
            Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_grant", "Invalid user credentials");
            context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
            return;
        }

Will this work for you?