Hi everyone,
while I totally agree that any configuration of the bruteforce-detection should require the realm-management role, I’d like to raise the question if clearing failed attempts should be that restrictive.
This affects the following service endpoints:
DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames
We would like to enable callcenter agents to unlock specific users, but giving them realm-management permissions doesn't feel right. Would’t user-management be more appropriate permissions for these endpoints, or are there side effects to consider?
Thanks,Gregor
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user