Using the plain old flow works for existing users. Adding a new user (not associated with an IdP) does not seem to allow login when an administrator manually/directly sets credentials.
Aug 15 17:09:56 pdc-auth kc.sh[542]: 2025-08-15 17:09:56,077 WARN [org.keycloak.services] (executor-thread-79) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:1070)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:378)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:349)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:341)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:407)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$authenticateForm_8a5eee1a0ec5f9d46c9be1d4352061fa6806b300.invoke(Unknown Source)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Aug 15 17:09:56 pdc-auth kc.sh[542]: at java.base/java.lang.Thread.run(Thread.java:840)
Aug 15 17:09:56 pdc-auth kc.sh[542]: 2025-08-15 17:09:56,080 WARN [org.keycloak.events] (executor-thread-79) type="LOGIN_ERROR", realmId="[redacted]", realmName="pdc", clientId="pdc-openapi-docs", userId="null", ipAddress="[redacted]", error="invalid_user_credentials", auth_method="openid-connect", auth_type="code", redirect_uri="https://api.philanthropydatacommons.org/oauth2-redirect.html", code_id="[redacted]"
I don't see any difference in what is submitted in the login form for a successful vs unsuccessful login (i.e. the username might usually be null).
This is only true for the custom PDC realm, not the master realm.
Using the plain old flow works for existing users. Adding a new user (not associated with an IdP) does not seem to allow login when an administrator manually/directly sets credentials.
I don't see any difference in what is submitted in the login form for a successful vs unsuccessful login (i.e. the username might usually be null).
This is only true for the custom PDC realm, not the master realm.