Re: [keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login
I am not 100% sure about all the details of the Brute Force Detection.
However in case that user is already "temporarily disabled" or
"permanently disabled", then after successful login he will still be
disabled. If he is not already disabled before successful login, then
the successful login should reset the failure count.
Marek
On 11. 10. 19 9:26, Vishnu Prakash wrote:
*Hi Keycloak team,I have enabled Brute Force Detection in Keycloak.
But the
login failure count is not resetting after successful login. As per the
Permanent Lockout Algorithm described in keycloak documentation, the
failure count should reset on successful login. It is described as follows
in the documentation, 1. On successful login1. Reset count2. On failed
login1. Increment count2. If count greater than Max Login Failures1.
Permanently disable user3. Else if time between this failure and the last
failure is less than Quick Login Check Milli Seconds1. Temporarily disable
user for Minimum Quick Login WaitWhen a user is disabled they can not login
until an administrator enables the user; enabling an account resets
count.Can someone comment on this? Is it a bug or expected behaviour? Any
help will be appreciated.Thanks & Regards,Vishnu Prakash*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user