The brute force protection is there only to prevent guessing the password
through a brute force attack. It's not there to stop DOS attacks. We don't
have any rate limiting at the moment and I believe that's something that
would be better introduced with a firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client that
invokes the direct grant login could have thousands of legitimate users. I
don't think a simple implementation would be much value and not replace a
full fledged firewall.
What did you have in mind with regards to requirements? Ability to
configure max number of requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date ranges
which should prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder <csnyder(a)iland.com> wrote:
Hey guys,
We ran into an issue recently where a customer didn’t have a great
understanding of the OAuth2 authorization process and was submitting many
direct grant login requests per second. They were successfully
authenticating each time, so the brute force protection features don’t
apply. It basically ended up being a DOS issue. We also ended up having OOM
issues when trying to query the events for this customer during a scheduled
job that we use to build reports on login events. We’re still running 1.8.2
at the moment, so I’m wondering if you guys have implemented any kind of
rate limiting / DOS prevention that could have prevented this in one of the
later releases? If not, I'm proposing that it might be worth considering, I
could try to contribute something if you like. What do you guys think?
Thanks,
Cory Snyder
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev