Looks quite interesting. Not sure the event system is the correct place as it's really read-only so couldn't impact the login itself. Maybe an authenticator would be a better place to implement it.It could also be combined with having a risk level associated on users that can then be viewed in the admin console (from the MS vid you shared the other day).On 11 September 2016 at 01:44, Thomas Darimont <thomas.darimont@googlemail.com > wrote:______________________________Hello group,Just saw an interesting talk from Java Zone 2016 aboutOWASP AppSensor which is a set of libraries that provide application level intrusion detection.The speaker (Dominik Schadow author of the german Book Java Web Security) mentionsthat having application level intrusion detection has the advantage of taking applicationcontext into account when assessing a user action compared to a web application firewall that simply scans for "known" attack patterns.I think this could be interesting for some public facing parts of Keycloak(login, account, password-reset, consent, admin-console, REST endpoints etc.)AppSensor comes with a wide variety of predefined DetectionPoints.These detection points can be used to identify a malicious user that isprobing for vulnerabilities or weaknesses:This could be embedded into the Keycloak Event System by emitting "IDS-Events"that could then be analyzed by an EventListener which then performs appropriate actions,e.g. logging a user out, lock a user or block the account or even IP address for a while.Talk: The Web Application Strikes BackExample application: duke-encountersCheers,Thomas_________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev