SamCooper
commented
7 years ago Yes, because otherwise it is a vector for finding a valid login name, you then just have to crack the password.
Its common in security systems to require both uname and pword before return any valid response. It is why we don't have separate errors for unknown username and invalid password.
I will add a comment to this effect to the operation.
The listRoles operation description says:
"This operation is expected to be called before a user logs in so that the software can provide a list of possible roles."
However, the operation request requires a password to be provided.
Is this intended? Normally a user would expect to select a role before entering a password (as part of the login process).