Avoid surplus blanks in source strings

Closes #37582

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>

js/apps/account-ui/maven-resources/theme/keycloak.v3/account/messages/messages_en.properties

@@ -148,7 +148,7 @@ systemDefined=System defined
 hasAccessTo=Has access to
 internalApp=Internal
 updateError=Could not update the resource due to\: {{error}}
-accessGrantedOn=Access granted on\: 
+accessGrantedOn=Access granted on\:
 editTheResource=Edit the resource - {{name}}
 permissionRequests=Permission requests
 shareSuccess=Resource successfully shared.
@@ -164,7 +164,7 @@ termsOfService=Terms of service
 jumpToSection=Jump to section
 linkError=Could not link due to\: {{error}}
 requestor=Requestor
-shareWith=Share with 
+shareWith=Share with
 updateCredAriaLabel=Update credential
 error-pattern-no-match='{{0}}' doesn't match required format.
 application=Application

js/apps/account-ui/src/resources/ShareTheResource.tsx

@@ -177,7 +177,7 @@ export const ShareTheResource = ({
             </InputGroupItem>
           </InputGroup>
           {fields.length > 1 && (
-            <ChipGroup categoryName={t("shareWith")}>
+            <ChipGroup categoryName={t("shareWith") + " "}>
               {fields.map(
                 (field, index) =>
                   index !== fields.length - 1 && (

js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties

@@ -46,7 +46,7 @@ eventTypes.UPDATE_TOTP.name=Update totp
 updateCibaError=Could not update CIBA policy\: {{error}}
 policyUrl=Policy URL
 clientDescriptionHelp=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description}.
-rolesPermissionsHint=Determines if fine grained permissions are enabled for managing this role.  Disabling will delete all current permissions that have been set up.
+rolesPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up.
 passwordPoliciesHelp.regexPattern=Requires that the password matches one or more defined Java regular expression patterns.
 oAuthDPoP=OAuth 2.0 DPoP Bound Access Tokens Enabled
 invalidRealmName=Realm name can't contain special characters
@@ -285,7 +285,7 @@ eventTypes.PERMISSION_TOKEN.description=Permission token
 allow-default-scopes.label=Allow Default Scopes
 minuteHelp=Defines the minute when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if the current minute is between or equal to the two values you provided.
 updateCibaSuccess=CIBA policy successfully updated
-newRoleNameHelp=The new role name.  The new name format corresponds to where in the access token the role will be mapped to.  So, a new name of 'myapp.newname' will map the role to that position in the access token.  A new name of 'newname' will map the role to the realm roles in the token.
+newRoleNameHelp=The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.
 mapperTypeFullNameLdapMapper=full-name-ldap-mapper
 searchUserByAttributeMissingKeyError=Specify an attribute key
 eventTypes.INVALID_SIGNATURE.name=Invalid signature
@@ -382,7 +382,7 @@ mapperTypeHardcodedAttributeMapper=hardcoded-attribute-mapper
 eventTypes.IMPERSONATE.description=Impersonate
 forbidden_other=Forbidden, permissions needed\:
 clientAuthorization=Authorization
-identityProvidersPermissionsHint=Determines if fine grained permissions are enabled for managing this role.  Disabling will delete all current permissions that have been set up.
+identityProvidersPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up.
 removeMappingConfirm_other=Are you sure you want to remove {{count}} roles
 kerberosWizardDescription=Text needed here.
 welcome=Welcome to
@@ -815,14 +815,14 @@ useEntityDescriptor=Use entity descriptor
 loginActionTimeout=Login action timeout
 windowsDomainQN=Windows Domain Qualified Name
 deleteClientError=Could not delete profile\: {{error}}
-validRedirectURIs=Valid URI pattern that a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http\://example.com/*'. Also, you can use a relative path, such as /my/relative/path/*. Relative paths are relative to the client root URL; if that URL is not specified, the auth server root URL is used. For SAML,  set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
+validRedirectURIs=Valid URI pattern that a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http\://example.com/*'. Also, you can use a relative path, such as /my/relative/path/*. Relative paths are relative to the client root URL; if that URL is not specified, the auth server root URL is used. For SAML, set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
 UPDATE_PROFILE=Update Profile (UPDATE_PROFILE)
 assertionConsumerServicePostBindingURL=Assertion Consumer Service POST Binding URL
 removeImported=Remove imported
 endpoints=Endpoints
 roleSaveError=Could not save role\: {{error}}
 keySize=Key size
-membershipUserLdapAttributeHelp=Used only if the Membership Attribute Type is UID. It is the name of the LDAP attribute on the user, which is used for membership mappings.  It is typically 'uid'. For example, if the value of 'Membership User LDAP Attribute' is 'uid' and the LDAP group has 'memberUid\: john',  it is expected that particular LDAP user will have the attribute 'uid\: john'.
+membershipUserLdapAttributeHelp=Used only if the Membership Attribute Type is UID. It is the name of the LDAP attribute on the user, which is used for membership mappings. It is typically 'uid'. For example, if the value of 'Membership User LDAP Attribute' is 'uid' and the LDAP group has 'memberUid\: john', it is expected that particular LDAP user will have the attribute 'uid\: john'.
 samlCapabilityConfig=SAML capabilities
 accessTokenSignatureAlgorithmHelp=JWA algorithm used for signing access tokens.
 derFormatted=DER formatted
@@ -869,7 +869,7 @@ leaveGroup_one=Leave group {{name}}?
 count=Count
 noPasswordPoliciesInstructions=You haven't added any password policies to this realm. Add a policy to get started.
 testAuthentication=Test authentication
-groupNameLdapAttributeHelp=Name of LDAP attribute that is used in group objects for the name and RDN of group. It is typically 'cn'. In this case, a typical group/role object may have DN such as  'cn\=Group1,ouu\=groups,dc\=example,dc\=org'.
+groupNameLdapAttributeHelp=Name of LDAP attribute that is used in group objects for the name and RDN of group. It is typically 'cn'. In this case, a typical group/role object may have DN such as 'cn\=Group1,ouu\=groups,dc\=example,dc\=org'.
 deleteError=Could not delete the provider {{error}}
 attributeDisplayName=Display name
 pkceEnabled=Use PKCE
@@ -1329,7 +1329,7 @@ eventTypes.USER_DISABLED_BY_PERMANENT_LOCKOUT_ERROR.description=User disabled by
 eventTypes.USER_DISABLED_BY_TEMPORARY_LOCKOUT.description=User disabled by temporary lockout
 eventTypes.USER_DISABLED_BY_TEMPORARY_LOCKOUT_ERROR.description=User disabled by temporary lockout error
 userModelAttributeNameHelp=Name of the model attribute to be added when importing user from LDAP
-templateHelp=Template to use to format the username to import.  Substitutions are enclosed in ${}.  For example\: '${ALIAS}.${CLAIM.sub}'.  ALIAS is the provider alias.  CLAIM.<NAME> references an ID or Access token claim. The substitution can be converted to upper or lower case by appending |uppercase or |lowercase to the substituted value, for example, '${CLAIM.sub | lowercase}.
+templateHelp=Template to use to format the username to import. Substitutions are enclosed in ${}. For example\: '${ALIAS}.${CLAIM.sub}'. ALIAS is the provider alias. CLAIM.<NAME> references an ID or Access token claim. The substitution can be converted to upper or lower case by appending |uppercase or |lowercase to the substituted value, for example, '${CLAIM.sub | lowercase}.
 permissions=Permissions
 emptyExecutionInstructions=You can start defining this flow by adding a sub-flow or an execution
 offlineSessionSettings=Offline session settings
@@ -1708,7 +1708,7 @@ eventTypes.IDENTITY_PROVIDER_LINK_ACCOUNT.description=Identity provider link acc
 eventTypes.TOKEN_EXCHANGE.name=Token exchange
 skipped=Skipped
 eventTypes.RESTART_AUTHENTICATION.description=Restart authentication
-scopePermissions.users.manage-group-membership-description=Policies that decide if an administrator can manage group membership for all users in the realm.  This is used in conjunction with specific group policy
+scopePermissions.users.manage-group-membership-description=Policies that decide if an administrator can manage group membership for all users in the realm. This is used in conjunction with specific group policy
 loginTheme=Login theme
 eventTypes.UPDATE_PASSWORD_ERROR.description=Update password error
 deleteConfirmRealmSetting=If you delete this realm, all associated data will be removed.
@@ -1733,7 +1733,7 @@ eventTypes.EXECUTE_ACTION_TOKEN_ERROR.name=Execute action token error
 eventTypes.USER_INFO_REQUEST_ERROR.description=User info request error
 policyRoles=Specifies the client roles allowed by this policy.
 roleMapping=Role mapping
-accountLinkingOnlyHelp=If true, users cannot log in through this provider.  They can only link to this provider.  This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
+accountLinkingOnlyHelp=If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
 refreshTokenMaxReuseHelp=Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.
 eventTypes.REMOVE_FEDERATED_IDENTITY.description=Remove federated identity
 childGroups=Child groups
@@ -2248,7 +2248,7 @@ alwaysReadValueFromLdapHelp=If on, then during reading of the LDAP attribute val
 usermodel.clientRoleMapping.tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and to use the dot literally, escape the dot with a backslash (\\.). You can use the special token ${client_id}; it will be replaced by the actual client ID. An example usage is 'resource_access.${client_id}.roles'. This option is especially useful when you add roles from all the clients, meaning 'Client ID' is disabled, and you want client roles of each client stored separately.
 scopePermissions.clients.map-roles-description=Policies that decide if an administrator can map roles defined by this client
 signAssertions=Sign assertions
-disableUserInfoHelp=Disable usage of User Info service to obtain additional user information?  Default is to use this OIDC service.
+disableUserInfoHelp=Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
 xFrameOptionsHelp=Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>
 copyError=Error copying authorization details\: {{error}}
 validateSignatures=Enable/disable signature validation of SAML responses.
@@ -2287,7 +2287,7 @@ createClient=Create client
 inputTypeRows=Input rows
 eventTypes.IDENTITY_PROVIDER_FIRST_LOGIN.description=Identity provider first login
 usedMemory=Used memory
-validatePasswordPolicyHelp=Determines if Keycloak should validate the password with the realm password policy before updating it. When the user's password is saved in LDAP, some Keycloak password policies do not work: Not Recently Used, Expire Password, Hashing Iterations, and Hashing Algorithm. This situation occurs because Keycloak does not have direct control over the password storage.  if you want to use those policies, enable password policies at the LDAP server layer.
+validatePasswordPolicyHelp=Determines if Keycloak should validate the password with the realm password policy before updating it. When the user's password is saved in LDAP, some Keycloak password policies do not work: Not Recently Used, Expire Password, Hashing Iterations, and Hashing Algorithm. This situation occurs because Keycloak does not have direct control over the password storage. if you want to use those policies, enable password policies at the LDAP server layer.
 bruteForceModeHelpText=If enabled, specify what should happen to the user account if a brute force attack is detected.
 quickLoginCheckMilliSeconds=Quick login check milliseconds
 createResourceSuccess=Resource created successfully
@@ -2479,7 +2479,7 @@ inputOptionLabelsI18nPrefix=Internationalization key prefix
 enabledHelp=Set if the keys are enabled
 nameHintHelp=A unique name for the group. This name will be used to reference the group when binding an attribute to a group.
 admin-events-cleared-error=Could not clear the admin events {{error}}
-usersPermissionsHint=Fine grained permissions for managing all users in realm.  You can define different policies for who is allowed to manage users in the realm.
+usersPermissionsHint=Fine grained permissions for managing all users in realm. You can define different policies for who is allowed to manage users in the realm.
 isBinaryAttribute=Is binary attribute
 clientScopeList=Client scopes
 noValidMetaDataFound=No valid metadata was found at this URL\: '{{error}}'
@@ -2696,7 +2696,7 @@ excludeIssuerFromAuthenticationResponse=Exclude Issuer From Authentication Respo
 minus=Minus
 groupsHelp=Groups where the user has membership. To leave a group, click the cross button.
 includeGroupsAndRoles=Include groups and roles
-groupsPermissionsHint=Determines if fine grained permissions are enabled for managing this role.  Disabling will delete all current permissions that have been set up.
+groupsPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up.
 searchForTranslation=Search for translation
 offlineSessionMaxHelp=Max time before an offline session is expired regardless of activity.
 resourceSaveError=Could not persist resource due to {{error}}
@@ -2849,7 +2849,7 @@ push=Push
 targetClaimHelp=Specifies the target claim which the policy will fetch.
 periodicFullSyncHelp=Whether periodic full synchronization of LDAP users to Keycloak should be enabled or not
 client-attributes-condition.tooltip=Client attributes, that will be checked during this condition evaluation. Condition evaluates to true if the client has all client attributes with the name and value as the client attributes specified in the configuration.
-scopePermissions.users.user-impersonated-description=Policies that decide which users can be impersonated.  These policies are applied to the user being impersonated.
+scopePermissions.users.user-impersonated-description=Policies that decide which users can be impersonated. These policies are applied to the user being impersonated.
 forceNameIdFormat=Force name ID format
 noMappersInstructions=There are currently no mappers for this identity provider.
 deleteConfirmFlow=Delete flow?
@@ -3178,7 +3178,7 @@ smtpPortPlaceholder=SMTP port (defaults to 25)
 loginUsernamePlaceholder=Login username
 ownerHelp=Owner for this resource.
 parRequestUriLifespan=Lifetime of the Request URI for Pushed Authorization Request
-parRequestUriLifespanHelp=Number that represents the lifetime of the request URI.  The default value is 1 minute.
+parRequestUriLifespanHelp=Number that represents the lifetime of the request URI. The default value is 1 minute.
 identityBrokeringLink=Identity brokering link
 searchClientRegistration=Search for policy
 importFileHelp=File to import a key
@@ -3256,7 +3256,7 @@ emailVerificationHelp=Independent timeout for email verification
 idpAccountEmailVerificationHelp=Independent timeout for IdP account email verification
 forgotPasswordHelp=Independent timeout for forgot password
 executeActionsHelp=Independent timeout for execute actions
-validatingX509CertsHelp=The public certificates used by Keycloak to validate the signatures of SAML requests and responses from the external IDP when the Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by commas (,).  You can reimport certificates from the Metadata descriptor URL by clicking the Import Keys action on the identity provider page. This action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. Click Save to definitely store the re-imported certificates.
+validatingX509CertsHelp=The public certificates used by Keycloak to validate the signatures of SAML requests and responses from the external IDP when the Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by commas (,). You can reimport certificates from the Metadata descriptor URL by clicking the Import Keys action on the identity provider page. This action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. Click Save to definitely store the re-imported certificates.
 emptyUserOrganizations=No organizations
 emptyUserOrganizationsInstructions=There is no organization yet. Please join an organization or send an invitation to join an organization.
 joinOrganization=Join organization
@@ -3336,7 +3336,7 @@ permissionsSubTitle=Permissions control access to a resource or multiple resourc
 signatureAlgorithmIdentityProviderMetadata=Signature algorithm SAML IdP metadata
 signatureAlgorithmIdentityProviderMetadataHelp=Signature algorithm to use for the SAML identity provider metadata, if none the metadata is not signed.
 connectionTrace=Connection trace
-connectionTraceHelp=If enabled, incoming and outgoing LDAP ASN.1 BER packets will be dumped to the error output stream. Be careful when enabling this option in production as it will expose all data sent to and from the LDAP server. 
+connectionTraceHelp=If enabled, incoming and outgoing LDAP ASN.1 BER packets will be dumped to the error output stream. Be careful when enabling this option in production as it will expose all data sent to and from the LDAP server.
 savingUserEventsOff=Saving user events turned off
 savingAdminEventsOff=Saving admin events turned off
 membershipEvents=Membership events
@@ -3347,12 +3347,12 @@ permissionsName=Permission name
 permissionsAssignedPolicy=Assigned policy
 chooseAResourceType=Choose a resource type
 chooseAResourceTypeInstructions=Choose a resource type for which you will create a permission.
-resourceType.Clients=Controls access to operations that can be  performed for clients in this realm
-resourceType.Groups=Controls access to operations that can be  performed for groups in this realm
-resourceType.IdentityProviders=Controls access to operations that can be  performed for identity providers in this realm
-resourceType.Organizations=Controls access to operations that can be  performed for organizations in this realm
-resourceType.Roles=Controls access to operations that can be  performed for roles in this realm
-resourceType.Users=Controls access to operations that can be  performed for users in this realm
+resourceType.Clients=Controls access to operations that can be performed for clients in this realm
+resourceType.Groups=Controls access to operations that can be performed for groups in this realm
+resourceType.IdentityProviders=Controls access to operations that can be performed for identity providers in this realm
+resourceType.Organizations=Controls access to operations that can be performed for organizations in this realm
+resourceType.Roles=Controls access to operations that can be performed for roles in this realm
+resourceType.Users=Controls access to operations that can be performed for users in this realm
 createPermissionOfType=This permission will be applied to the {{resourceType}}
 permissionUsersHelpText=Specifies which user(s) are allowed by this permission.
 permissionNameHelpText=The name of the permission. This name is used to identify the permission in the admin console.
@@ -3397,7 +3397,7 @@ noPermissionSearchResultsInstructions=No permissions matched your filters.
 deleteAdminPermissionConfirm=If you delete permission {{ permission }}, administrators cannot perform the actions on resources that were defined by the permission.
 authorizationScope.Clients.configure=Performs basic management of a client
 authorizationScope.Clients.manage=Fully manages a client
-authorizationScope.Clients.map-roles=Map roles defined by this client to resources such as  users and groups
+authorizationScope.Clients.map-roles=Map roles defined by this client to resources such as users and groups
 authorizationScope.Clients.map-roles-client-scope=Applies roles defined by this client to the client scope of another client
 authorizationScope.Clients.map-roles-composite=Applies roles defined by this client as a composite to another role
 authorizationScope.Clients.token-exchange=Controls which clients can exchange tokens for a token that is targeted to this client
@@ -3413,7 +3413,7 @@ authorizationScope.Groups.manage-members=Manages group members
 authorizationScope.Groups.manage-membership=Adds or removes group members
 authorizationScope.Groups.view=Views this group
 authorizationScope.Groups.view-members=Views group members
-authorizationScope.IdentityProviders.token-exchange=Allows clients to exchange tokens for  tokens issued by this identity provider
+authorizationScope.IdentityProviders.token-exchange=Allows clients to exchange tokens for tokens issued by this identity provider
 usersResources=Users
 clientsResources=Clients
 groupsResources=Groups
@@ -3421,4 +3421,4 @@ resourceTypeHelpText=Specifies which {{ resourceType }} are allowed by this perm
 evaluation=Evaluation
 addSubFlowTo=Add sub-flow to {{name}}
 addExecutionTo=Add execution to {{name}}
-addConditionTo=Add condition to {{name}}
+addConditionTo=Add condition to {{name}}

misc/theme-verifier/src/main/java/org/keycloak/themeverifier/VerifyMessageProperties.java

@@ -49,6 +49,7 @@ public class VerifyMessageProperties {
             String contents = Files.readString(file.toPath());
             verifyNoDuplicateKeys(contents);
             verifySafeHtml();
+            verifyProblematicBlanks();
         } catch (IOException e) {
             throw new MojoExecutionException("Can not read file " + file, e);
         }
@@ -114,6 +115,39 @@ public class VerifyMessageProperties {
         });
     }
 
+    /**
+     * Double blanks and blanks at the beginning of end of the string are difficult to translation in the translation tools and
+     * are easily missed. If a blank before or after the string is needed in the UI, add it in the HTML template.
+     */
+    private void verifyProblematicBlanks() {
+        if (!file.getName().endsWith("_en.properties")) {
+            // Only check EN original files, as the other files are checked by the translation tools
+            return;
+        }
+        PropertyResourceBundle bundle;
+        try (FileInputStream fis = new FileInputStream(file)) {
+            bundle = new PropertyResourceBundle(fis);
+        } catch (IOException e) {
+            throw new RuntimeException("unable to read file " + file, e);
+        }
+
+        bundle.getKeys().asIterator().forEachRemaining(key -> {
+            String value = bundle.getString(key);
+
+            if (value.contains("  ")) {
+                messages.add("Duplicate blanks in " + key + " for file " + file + ": '" + value);
+            }
+
+            if (value.startsWith(" ")) {
+                messages.add(key + " starts with a blank in file " + file + ": '" + value);
+            }
+
+            if (value.endsWith(" ")) {
+                messages.add(key + " ends with a blank in file " + file + ": '" + value);
+            }
+        });
+    }
+
     private String normalizeValue(String key, String value) {
         if (key.equals("templateHelp")) {
             // Allow "CLAIM.<NAME>" here

misc/theme-verifier/src/test/java/org/keycloak/themeverifier/VerifyMessagePropertiesTest.java

@@ -51,6 +51,14 @@ class VerifyMessagePropertiesTest {
         MatcherAssert.assertThat(verify, Matchers.hasItem(Matchers.containsString("Didn't find anchor tag")));
     }
 
+    @Test
+    void verifyNoExtraBlanks() throws MojoExecutionException {
+        List<String> verify = getFile("blanks_en.properties").verify();
+        MatcherAssert.assertThat(verify, Matchers.hasItem(Matchers.containsString("Duplicate blanks")));
+        MatcherAssert.assertThat(verify, Matchers.hasItem(Matchers.containsString("starts with a blank")));
+        MatcherAssert.assertThat(verify, Matchers.hasItem(Matchers.containsString("ends with a blank")));
+    }
+
     private static VerifyMessageProperties getFile(String fixture) {
         URL resource = VerifyMessageProperties.class.getResource("/" + fixture);
         if (resource == null) {

misc/theme-verifier/src/test/resources/blanks_en.properties

@@ -0,0 +1,17 @@
+#
+# Copyright 2025 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+key=\ word  word\ 

themes/src/main/resources/theme/base/login/messages/messages_en.properties

@@ -20,8 +20,8 @@ errorDeletingAccount=Error happened while deleting account
 deletingAccountForbidden=You do not have enough permissions to delete your own account, contact admin.
 kerberosNotConfigured=Kerberos Not Configured
 kerberosNotConfiguredTitle=Kerberos Not Configured
-bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login.  Please click continue to login in through other means
-kerberosNotSetUp=Kerberos is not set up.  You cannot login.
+bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login. Please click continue to login in through other means
+kerberosNotSetUp=Kerberos is not set up. You cannot login.
 registerTitle=Register
 loginAccountTitle=Sign in to your account
 loginTitle=Sign in to {0}
@@ -33,13 +33,13 @@ unknownUser=Unknown user
 loginTotpTitle=Mobile Authenticator Setup
 loginProfileTitle=Update Account Information
 loginIdpReviewProfileTitle=Update Account Information
-loginTimeout=Your login attempt timed out.  Login will start from the beginning.
+loginTimeout=Your login attempt timed out. Login will start from the beginning.
 reauthenticate=Please re-authenticate to continue
 authenticateStrong=Strong authentication required to continue
 oauthGrantTitle=Grant Access to {0}
 oauthGrantTitleHtml={0}
 oauthGrantInformation=Make sure you trust {0} by learning how {0} will handle your data.
-oauthGrantReview=You could review the 
+oauthGrantReview=You could review the
 oauthGrantTos=terms of service.
 oauthGrantPolicy=privacy policy.
 errorTitle=We are sorry...
@@ -373,7 +373,7 @@ credentialSetupRequired=Cannot login, credential setup required.
 identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with.
 emailVerifiedMessage=Your email address has been verified.
 emailVerifiedAlreadyMessage=Your email address has been verified already.
-staleEmailVerificationLink=The link you clicked is an old stale link and is no longer valid.  Maybe you have already verified your email.
+staleEmailVerificationLink=The link you clicked is an old stale link and is no longer valid. Maybe you have already verified your email.
 identityProviderAlreadyLinkedMessage=Federated identity returned by {0} is already linked to another user.
 confirmAccountLinking=Confirm linking the account {0} of identity provider {1} with your account.
 confirmEmailAddressVerification=Confirm validity of e-mail address {0}.
@@ -415,7 +415,7 @@ console-otp=One Time Password:
 console-new-password=New Password:
 console-confirm-password=Confirm Password:
 console-update-password=Update of your password is required.
-console-verify-email=You need to verify your email address.  We sent an email to {0} that contains a verification code.  Please enter this code into the input below.
+console-verify-email=You need to verify your email address. We sent an email to {0} that contains a verification code. Please enter this code into the input below.
 console-email-code=Email Code:
 console-accept-terms=Accept Terms? [y/n]:
 console-accept=y
@@ -429,7 +429,7 @@ openshift.scope.list-projects=List projects
 # SAML authentication
 saml.post-form.title=Authentication Redirect
 saml.post-form.message=Redirecting, please wait.
-saml.post-form.js-disabled=JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue. 
+saml.post-form.js-disabled=JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue.
 saml.artifactResolutionServiceInvalidResponse=Unable to resolve artifact.
 
 #authenticators