[keycloak-user] Authentication failure logs at ERROR level

Stian Thorgersen sthorger at redhat.com
Wed Apr 13 00:51:27 EDT 2016 

org.keycloak.events is fully configurable you can set what level you want
it to log success and failures.  Logging failures are supposed to only be
logged by event mechanism so this is a bug, can you create a JIRA please?

On 12 April 2016 at 16:17, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> I'm implementing a custom authenticator, and I'm noticing that whenever
> I get an authentication failure I get a long exception in the log at
> level ERROR as well as one at level WARN:
>
>
>      19:08:16,592 WARN  [org.keycloak.events] (default task-7)
>      type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account,
>      userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,
>      auth_method=openid-connect, auth_type=code,
>      redirect_uri='
> http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect',
>      code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19
>      19:08:16,593 ERROR [org.keycloak.services] (default task-7)
>      KC-SERVICES0013: failed authentication:
>      org.keycloak.authentication.AuthenticationFlowException
>         at
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207)
>         at
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85)
>         at
>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756)
>         at
>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353)
>         at
>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335)
>         at
>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380)
>         ...many more lines
>
>
> This seems open to a DOS vulnerability that would fill up logs by
> bombing the system with failed login attempts. In addition, logging the
> failure at ERROR means that the only way to keep the second log entry
> from showing up is to turn off all logging for org.keycloak.services.
>
> In my ideal world, we could set Keycloak so that login failures were
> simply recorded as events but don't show up in the server log at all. Is
> there a way to do that?
>
> --
> http://www.fastmail.com - A fast, anti-spam email service.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/a412aeee/attachment.html

More information about the keycloak-user mailing list