[keycloak-dev] Brute force protection behaviour

Hi, please help me clarify the expected behaviour of brute force protection. I read the documentation [1] but I am still not 100% sure about it. I'm more after intention rather than actual implementation. 1) When should the Failure Reset Time apply? After the first or after last failed attempt? 2) Should failed login attempts counter be cleared after the first successful login or only after failure reset time regardless of the successful login? 3) Should login failures be counted while the account is locked? 4) Should unlocking account in admin console reset login failures counter? In other words, what is expected behaviour of the following scenarios (questions are in items marked with Q ->)? I intentionally don't suggest any correct answer below myself. Setup: - Permanent lockout: Off - Max Lock time: 15 mins - Wait Time Increment: 1 min - Failure Reset Time: 30 mins = Scenario 1 = 1.1) User locks its account 1.2) Another 3 immediate failed login attempts while account is blocked *Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked = Scenario 2 = 2.1) User locks its account 2.2) Wait until account is unlocked (should be 1x Wait Time Increment) 2.3) Then do another one failed login attempt. *Q -> *2.4) Should the account be locked now or only after next Max Login Failures? *Q -> *2.5) Wait until account is unlocked (should be 1x or 2x Wait Time Increment?) 2.6) Then fail another one login attempt *Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time Increment?) *Q -> *2.8) Wait Failure Reset Time (since first or last failed attempt?) 2.9) Validate that the user can again lock themselves out only after Max Login Failures failed login attempts. = Scenario 3 = 3.1) User locks its account 3.2) Another 20 failed immediate login attempts while account is blocked *Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked (Max Lock time is 15 mins) Thanks --Hynek [1] http://www.keycloak.org/docs/latest/server_admin/index.html#password-gues...