Keycloak Step Up Authentication giving "Invalid username or password" on second login

Question

I have configures step up authentication in Keycloak 23.0, I am able to login with basic acr value and able to step up with OTP.

If I try to get the authenticate again with acr_values=basic or act_values=step-up, I am getting "Invalid username or password." But it works fine after clearing the session or after reaching loa-max-age.

ACR to LoA mapping and custom auth flow

Tried authenticating with the default browser-flow it is working fine I am able to authenticate multiple times.

Error Log:

2024-01-20 18:59:27,844 WARN  [org.keycloak.authentication.authenticators.util.AcrStore] (executor-thread-43) No condition found for level '1' in the authentication flow
2024-01-20 18:59:27,846 WARN  [org.keycloak.services] (executor-thread-43) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1039)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:885)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
2024-01-20 18:59:27,848 WARN  [org.keycloak.events] (executor-thread-43) type=LOGIN_ERROR, realmId=628feb10-aa76-43c4-99a9-173430a72642, clientId=tenant-cli, userId=null, ipAddress=192.168.65.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://oauth.pstmn.io/v1/callback, code_id=467dc632-1e1e-4bea-a744-1a851051c611, response_mode=query

Answer 1

After a long search, I found this is a bug in keycloak and it is still open.

There is a workaround suggested to mitigate this issue

The workaround (not always applicable) is to set the Browser step-up authentication as the default for the entire realm, by selecting "Action - Bind Flow" in the custom flow.

Issue: https://github.com/keycloak/keycloak/issues/12919