Re: [keycloak-dev] Plan for final release
On 5/1/2014 2:21 PM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 1 May, 2014 5:12:32 PM
> Subject: Re: [keycloak-dev] Plan for final release
>
> Brute force needs to be integrated with code as it has to refuse before
> the login screen is even shown (by IP address) or after the user
> attempts to login (by username).
Could we do it by adding more events? We could have events both before/after login?
That would allow us to plug-in other things to the login-cycle, and you could also re-use
the same event handlers for social and SAML logins. We could have built-in event handlers,
but also let users register their own through the SPI.
It would have to be an SPI or something of which any of the interceptors
could abort the login.
>
> I really want the ability to redirect the user to a account management
> warning screen that says something like "You logged into your account
> from China. Was that you? If not, you might want to change your
> credentials".
Only China? Might be worth considering North Korea as well ;)
My gmail got hacked from China once, so I'm biased against them ;)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com