Fix Keycloak User Login Failed

What's Actually Happening

Users cannot log in to Keycloak or applications using Keycloak as identity provider. Authentication fails with various error messages, preventing user access.

The Error You'll See

Invalid credentials:

Invalid username or password.

Account disabled:

Account is disabled, contact your administrator.

Account locked:

Invalid password. Your account has been temporarily locked.

Browser error:

We are sorry...
An error occurred during authentication. Please try again.

Why This Happens

1. 1.Wrong credentials - Incorrect username or password
2. 2.Account disabled - User account disabled by admin
3. 3.Account locked - Too many failed login attempts
4. 4.Password expired - Password policy requires change
5. 5.Email not verified - Email verification required
6. 6.Authentication flow error - Custom flow misconfigured
7. 7.User federation issue - LDAP/AD connection problem

Step 1: Check User Account Status

```bash # Access Keycloak admin console # https://keycloak.example.com/auth/admin/

# Navigate to: Realm > Users > Find user

# Check user attributes: # - Enabled: Yes/No # - Email Verified: Yes/No # - Account Locked: Yes/No

# Via CLI/API: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/users?username=testuser" \ -H "Authorization: Bearer $TOKEN" | jq

# Check user sessions curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}/sessions" \ -H "Authorization: Bearer $TOKEN" ```

Step 2: Check Failed Login Attempts

```bash # In Admin Console: # Realm > Realm Settings > Security Defenses > Brute Force Detection

# Check if brute force enabled: # - Permanent Lockout: On/Off # - Max Login Failures: 5 (default) # - Wait Increment: 1 minute # - Max Wait: 15 minutes

# View brute force status: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/attack-detection/brute-force/users/{user-id}" \ -H "Authorization: Bearer $TOKEN"

# Clear brute force for user: curl -X DELETE "http://localhost:8080/auth/admin/realms/myrealm/attack-detection/brute-force/users/{user-id}" \ -H "Authorization: Bearer $TOKEN"

# Clear all brute force: curl -X DELETE "http://localhost:8080/auth/admin/realms/myrealm/attack-detection/brute-force/users" \ -H "Authorization: Bearer $TOKEN" ```

Step 3: Reset User Password

```bash # In Admin Console: # Realm > Users > Select user > Credentials > Reset Password

# Via API: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}/reset-password" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "type": "password", "value": "newpassword", "temporary": false }'

# Send password reset email: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}/execute-actions-email" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '["UPDATE_PASSWORD"]' ```

Step 4: Enable User Account

```bash # Enable disabled user via API: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "enabled": true }'

# Verify email: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "emailVerified": true }'

# Unlock user (clear brute force): curl -X DELETE "http://localhost:8080/auth/admin/realms/myrealm/attack-detection/brute-force/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" ```

Step 5: Check Password Policies

```bash # In Admin Console: # Realm > Realm Settings > Security Defenses > Password Policy

# Common policies: # - Minimum length # - Special characters required # - Uppercase required # - Digits required # - Not username # - Password history # - Expire password

# Check current policy via API: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm" \ -H "Authorization: Bearer $TOKEN" | jq '.passwordPolicy'

# Example policy string: # "length(8) and specialChars(1) and upperCase(1) and digits(1)"

# If password expired, user must change on next login ```

Step 6: Check Authentication Flow

```bash # In Admin Console: # Realm > Authentication > Flows

# Check browser flow: # - Username/Password form # - OTP (if 2FA enabled) # - Conditional OTP

# Check for custom flows that may be misconfigured

# Reset to default browser flow: # 1. Copy "browser" flow # 2. Set as default for browser

# Via API, get authentication flows: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/authentication/flows" \ -H "Authorization: Bearer $TOKEN"

# Get flow executions: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/authentication/flows/browser/executions" \ -H "Authorization: Bearer $TOKEN" ```

Step 7: Check Required Actions

```bash # Check user required actions: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" | jq '.requiredActions'

# Common required actions: # - UPDATE_PASSWORD # - UPDATE_PROFILE # - VERIFY_EMAIL # - TERMS_AND_CONDITIONS

# Remove required actions: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "requiredActions": [] }'

# Add required action: curl -X PUT "http://localhost:8080/auth/admin/realms/myrealm/users/{user-id}" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "requiredActions": ["UPDATE_PASSWORD"] }' ```

Step 8: Check User Federation

```bash # If using LDAP/AD: # Realm > User Federation > LDAP Provider

# Test connection: # Click "Test connection"

# Test authentication: # Click "Test authentication"

# Check LDAP configuration: # - Connection URL # - Bind DN # - Bind Credential # - Users DN # - Username LDAP attribute

# Sync users: curl -X POST "http://localhost:8080/auth/admin/realms/myrealm/user-federation/{provider-id}/sync?action=triggerFullSync" \ -H "Authorization: Bearer $TOKEN"

# Check federation logs: # Keycloak server.log grep "LDAP" /opt/keycloak/standalone/log/server.log ```

Step 9: Check Client Configuration

```bash # In Admin Console: # Realm > Clients > Select client

# Check: # - Client ID matches application # - Valid Redirect URIs include application URL # - Web Origins configured for CORS # - Access Type: confidential or public

# Check client secret: # Credentials tab > Secret

# Regenerate secret if compromised: curl -X POST "http://localhost:8080/auth/admin/realms/myrealm/clients/{client-id}/client-secret" \ -H "Authorization: Bearer $TOKEN"

# Verify client configuration: curl -X GET "http://localhost:8080/auth/admin/realms/myrealm/clients/{client-id}" \ -H "Authorization: Bearer $TOKEN" | jq ```

Step 10: Check Keycloak Logs

```bash # Check Keycloak logs tail -f /opt/keycloak/standalone/log/server.log

# Or if using systemd: journalctl -u keycloak -f

# Common errors to look for: # - "Invalid user credentials" # - "Account is disabled" # - "User temporarily locked" # - "LDAP authentication failed" # - "Failed to authenticate"

# Enable debug logging: # In standalone.xml or keycloak.conf: <logger category="org.keycloak"> <level name="DEBUG"/> </logger>

# Check login events: # Realm > Events > Admin Events or Login Events ```

Keycloak Login Failure Checklist

Verify the Fix

```bash # After fixing login issue

# 1. Test user login # Go to account console https://keycloak.example.com/auth/realms/myrealm/account // Login successful

# 2. Verify user can access application # Application login redirect // Authenticated successfully

# 3. Check user sessions # Admin Console > Users > user > Sessions // Active session shown

# 4. Verify no brute force lock # Admin Console > Realm Settings > Security Defenses // User not in brute force list

# 5. Test multiple logins # Login and logout several times // All succeed

# 6. Check logs for errors tail /opt/keycloak/standalone/log/server.log | grep -i error // No authentication errors ```

Related Issues

• [Fix Keycloak Realm Misconfigured](/articles/fix-keycloak-realm-misconfigured)
• [Fix Keycloak Session Timeout Too Short](/articles/fix-keycloak-session-timeout-too-short-for-users)
• [Fix Keycloak Client Not Working](/articles/fix-keycloak-client-still-redirecting-to-old-identity-broker-after-migration)