<div dir="ltr">org.keycloak.events is fully configurable you can set what level you want it to log success and failures. Logging failures are supposed to only be logged by event mechanism so this is a bug, can you create a JIRA please?</div><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 16:17, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm implementing a custom authenticator, and I'm noticing that whenever<br>
I get an authentication failure I get a long exception in the log at<br>
level ERROR as well as one at level WARN:<br>
<br>
<br>
19:08:16,592 WARN [org.keycloak.events] (default task-7)<br>
type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account,<br>
userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,<br>
auth_method=openid-connect, auth_type=code,<br>
redirect_uri='<a href="http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect" rel="noreferrer" target="_blank">http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect</a>',<br>
code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19<br>
19:08:16,593 ERROR [org.keycloak.services] (default task-7)<br>
KC-SERVICES0013: failed authentication:<br>
org.keycloak.authentication.AuthenticationFlowException<br>
at<br>
org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207)<br>
at<br>
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85)<br>
at<br>
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756)<br>
at<br>
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353)<br>
at<br>
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335)<br>
at<br>
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380)<br>
...many more lines<br>
<br>
<br>
This seems open to a DOS vulnerability that would fill up logs by<br>
bombing the system with failed login attempts. In addition, logging the<br>
failure at ERROR means that the only way to keep the second log entry<br>
from showing up is to turn off all logging for org.keycloak.services.<br>
<br>
In my ideal world, we could set Keycloak so that login failures were<br>
simply recorded as events but don't show up in the server log at all. Is<br>
there a way to do that?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - A fast, anti-spam email service.<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div>