I'm currently working on a SSO project. But I'm a bit confused about the login mechanism in the quickstart.
First, I found that the user input Username and Password can be only retrieved once by UsernamePasswordLoginModule.getUsernameAndPassword(). If you try to access the password second time, then password will be EMPTY_STR, but the username is still there. I don't quite understand why.
Second, since the user entered password is EMPTY_STR, the login function will convert the password saved in IdP to EMPTY_STR in order to match it.
I don't quite understand firstly why the login() will be called twice (and actually which class extend AbstractServerLoginModule and be used while login besides UsernamePasswordLoginModule), and why the password would become EMPTY_STR in we access it for the second time?