Should I add these in JIRA as feature requests?

On Thu, Mar 20, 2014 at 3:47 PM, Adrian Mitev <> wrote:

On Thu, Mar 20, 2014 at 3:22 PM, Bill Burke <> wrote:

On 3/20/2014 6:47 AM, Adrian Mitev wrote:
> Hi guys! I'm very interested in Keycloak and would like to share with
> you some ideas that come from user requirements I currently have or had
> in the past that you may find useful to add in Keycloak.
> * Automatically revoke access to user account after a (configurable)
> number of invalid sign-on passwords until the system administrator has
> unlocked the account or automatically after an administrator-defined
> interval - I know that with such feature an attacker could lock user
> accounts by simply knowing usernames/emails. However I have a case of an
> Intranet application that is accessible only inside the company and
> could trace such attackers by their ip addresses.

Working on Brute force detection now.  First iteration will increasingly
add a "not before" time on successive login failures.  Second iteration
will include IP address options.

> * Record and report (i.e. email sending) on failed login attempts outlining
> * Force password changes at regular (configurable) intervals or
> * Automatically reset the password and send a new one to the user via email
> * Can ensure that the new password has not been used before in a number
> (configurable) of password changes
> * Login using digital signature in a smart card or p12 file

This something different than OTP?
A customer company has a policy that a password for user account should be changed every week. This counts for special type of users that access more sensitive information.

> * Security questions for password recovery
> Other that I found as issues in other Identity Providers
> * Support many accounts (~10K) within a reasonable amount of time
> * When providing an authentication client (maven dependency) add only
> the needed set of dependencies. I know this sounds silly but I have
> experience with a client library provided by the Identity Provider that
> had a compile dependency to apache ant...

So far our adapters are installed once onto the app server.

Bill Burke
JBoss, a division of Red Hat
keycloak-dev mailing list