On 3/20/2014 6:47 AM, Adrian Mitev wrote:
Hi guys! I'm very interested in Keycloak and would like to share
you some ideas that come from user requirements I currently have or had
in the past that you may find useful to add in Keycloak.
* Automatically revoke access to user account after a (configurable)
number of invalid sign-on passwords until the system administrator has
unlocked the account or automatically after an administrator-defined
interval - I know that with such feature an attacker could lock user
accounts by simply knowing usernames/emails. However I have a case of an
Intranet application that is accessible only inside the company and
could trace such attackers by their ip addresses.
Working on Brute force detection now. First iteration will increasingly
add a "not before" time on successive login failures. Second iteration
will include IP address options.
* Record and report (i.e. email sending) on failed login attempts
* Force password changes at regular (configurable) intervals or
* Automatically reset the password and send a new one to the user via email
* Can ensure that the new password has not been used before in a number
(configurable) of password changes
* Login using digital signature in a smart card or p12 file
This something different than OTP?
* Security questions for password recovery
Other that I found as issues in other Identity Providers
* Support many accounts (~10K) within a reasonable amount of time
* When providing an authentication client (maven dependency) add only
the needed set of dependencies. I know this sounds silly but I have
experience with a client library provided by the Identity Provider that
had a compile dependency to apache ant...
So far our adapters are installed once onto the app server.
JBoss, a division of Red Hat