Re: [keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login

Hi marek, Thanks for your reply. Can I report this as a bug in keycloak. Is there any chance that this will get fixed soon. Thanks and Regards, Vishnu Prakash On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: I am not 100% sure about all the details of the Brute Force Detection. However in case that user is already "temporarily disabled" or "permanently disabled", then after successful login he will still be disabled. If he is not already disabled before successful login, then the successful login should reset the failure count. Marek On 11. 10. 19 9:26, Vishnu Prakash wrote: > *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But the > login failure count is not resetting after successful login. As per the > Permanent Lockout Algorithm described in keycloak documentation, the > failure count should reset on successful login. It is described as follows > in the documentation, 1. On successful login1. Reset count2. On failed > login1. Increment count2. If count greater than Max Login Failures1. > Permanently disable user3. Else if time between this failure and the last > failure is less than Quick Login Check Milli Seconds1. Temporarily disable > user for Minimum Quick Login WaitWhen a user is disabled they can not login > until an administrator enables the user; enabling an account resets > count.Can someone comment on this? Is it a bug or expected behaviour? Any > help will be appreciated.Thanks & Regards,Vishnu Prakash* > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user