Hi guys! I'm very interested in Keycloak and would like to share with you some ideas that come from user requirements I currently have or had in the past that you may find useful to add in Keycloak.
* Automatically revoke access to user account after a (configurable) number of invalid sign-on passwords until the system administrator has unlocked the account or automatically after an administrator-defined interval - I know that with such feature an attacker could lock user accounts by simply knowing usernames/emails. However I have a case of an Intranet application that is accessible only inside the company and could trace such attackers by their ip addresses.
* Record and report (i.e. email sending) on failed login attempts outlining
* Force password changes at regular (configurable) intervals or
* Automatically reset the password and send a new one to the user via email
* Can ensure that the new password has not been used before in a number (configurable) of password changes
* Login using digital signature in a smart card or p12 file
* Security questions for password recovery

Other that I found as issues in other Identity Providers
* Support many accounts (~10K) within a reasonable amount of time
* When providing an authentication client (maven dependency) add only the needed set of dependencies. I know this sounds silly but I have experience with a client library provided by the Identity Provider that had a compile dependency to apache ant...