Re: [keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login

Is there any suggestion? Should I create a bug fix Jira ticket? From: Zhao, Edwin (NSB - CN/Beijing) Sent: Friday, August 04, 2017 10:45 PM To: 'keycloak-dev-bounces(a)lists.jboss.org'; keycloak-user(a)lists.jboss.org Subject: Brute Force Detection issue: wrong password attempt counter not reset with successful login Hi Keycloak team, Many of our products would like to use keycloak for SSO, and with brute force detection function enabled. But they all want password failure counter can be reset after a correct password is entered. I saw 2 related tickets had once been created before, but product teams here in Nokia A&A organization still want the counter be reset after successful login. https://issues.jboss.org/browse/KEYCLOAK-2692 https://issues.jboss.org/browse/KEYCLOAK-3046 We once again raise this request, please help to provide the enhancement. Thanks, Edwin ---------------------------------------------- Reproduce: Enable Brute Force Detection on the realm Set Max Login Failures to 3 (or any other number) on a user Attempt to log in to Keycloak with the user try invalid password 2 times Attempt to log in to Keycloak with the user with correct password (should succeed) Log out Attempt to log in to Keycloak with the user try invalid password 1 times Attempt to log in to Keycloak with the user with correct password (should succeed, but fails) Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out).