12:56 p.m.
Hi Marek,
Sorry for the late reply.
I have tested the scenario in detail. Problem is happening only in case the
user's email id is not verified.
If it is already verified, then the failure count is resetting properly
after successful login.
Thanks & Regards,
Vishnu Prakash
On Tue, Oct 15, 2019 at 1:17 PM Marek Posolda <mposolda(a)redhat.com> wrote:
Hello,
I am not sure if there is any bug as I am not sure what exactly happens in
your environment? I mentioned in previous email that in case that user is
already "temporarily disabled" or "permanently disabled", then after
successful login, the user will still remain disabled and failure count
won't be restarted. IMO there is a bug just in case that failure count
wasn't restarted after successful login assuming that user wasn't already
disabled *before* this successful login.
If you mention that failure wasn't restarted after successful login, are
you sure that user wasn't already disabled?
Thanks,
Marel
On 14. 10. 19 5:44, Vishnu Prakash wrote:
Hi marek,
Thanks for your reply. Can I report this as a bug in keycloak. Is there
any chance that this will get fixed soon.
Thanks and Regards,
Vishnu Prakash
On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda(a)redhat.com> wrote:
> I am not 100% sure about all the details of the Brute Force Detection.
> However in case that user is already "temporarily disabled" or
> "permanently disabled", then after successful login he will still be
> disabled. If he is not already disabled before successful login, then
> the successful login should reset the failure count.
>
> Marek
>
> On 11. 10. 19 9:26, Vishnu Prakash wrote:
> > *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But
> the
> > login failure count is not resetting after successful login. As per the
> > Permanent Lockout Algorithm described in keycloak documentation, the
> > failure count should reset on successful login. It is described as
> follows
> > in the documentation, 1. On successful login1. Reset count2. On failed
> > login1. Increment count2. If count greater than Max Login Failures1.
> > Permanently disable user3. Else if time between this failure and the
> last
> > failure is less than Quick Login Check Milli Seconds1. Temporarily
> disable
> > user for Minimum Quick Login WaitWhen a user is disabled they can not
> login
> > until an administrator enables the user; enabling an account resets
> > count.Can someone comment on this? Is it a bug or expected behaviour?
> Any
> > help will be appreciated.Thanks & Regards,Vishnu Prakash*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>