4:24 a.m.
Hi all!
We would like to have ability to configure the brute force detector so it can disable a
user account after X failed attempts completely and not only lock him/her out for a period
of time (setting the lockout-time to a few years is not enough). In the end we would like
the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for
different realms. I guess this would also require the detector to reset the
failed-login-attempts count on a successful login.
Does this sound interesting and could this then be something that we could contribute with
to KeyCloak?
Or is there a way to substitute the already existing brute force detector?
Thanks in advance!
Fabian Eriksson
2:15 a.m.
You can implement a custom provider for the brute force protection that
would do what you want. It wouldn't be configurable through the admin
console though.
I don't see why we couldn't add it as an option to the built-in provider
though so if you are happy to send a PR for it including tests we could
accept it into 3.x.
On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson(a)gi-de.com>
wrote:
Hi all!
We would like to have ability to configure the brute force detector so it
can disable a user account after X failed attempts completely and not only
lock him/her out for a period of time (setting the lockout-time to a few
years is not enough). In the end we would like the admins of KeyCloak to be
able to set a timed lockout-period or set a permanent one for different
realms. I guess this would also require the detector to reset the
failed-login-attempts count on a successful login.
Does this sound interesting and could this then be something that we could
contribute with to KeyCloak?
Or is there a way to substitute the already existing brute force detector?
Thanks in advance!
Fabian Eriksson
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:28 a.m.
Do you want me to create a new feature request through the dev mailing list or could I
immediately create a Jira-ticket?
Best regards
Fabian Eriksson
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: den 2 januari 2017 09:15
To: Eriksson Fabian
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Brute force detector extension
You can implement a custom provider for the brute force protection that would do what you
want. It wouldn't be configurable through the admin console though.
I don't see why we couldn't add it as an option to the built-in provider though so
if you are happy to send a PR for it including tests we could accept it into 3.x.
On 21 December 2016 at 11:24, Eriksson Fabian
<fabian.eriksson@gi-de.com<mailto:fabian.eriksson@gi-de.com>> wrote:
Hi all!
We would like to have ability to configure the brute force detector so it can disable a
user account after X failed attempts completely and not only lock him/her out for a period
of time (setting the lockout-time to a few years is not enough). In the end we would like
the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for
different realms. I guess this would also require the detector to reset the
failed-login-attempts count on a successful login.
Does this sound interesting and could this then be something that we could contribute with
to KeyCloak?
Or is there a way to substitute the already existing brute force detector?
Thanks in advance!
Fabian Eriksson
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:18 p.m.
I believe the best is to create Jira as a feature request. And later you
can attach your PR to that.
On 2017-01-11, Eriksson Fabian wrote:
Do you want me to create a new feature request through the dev
mailing list or could I immediately create a Jira-ticket?
Best regards
Fabian Eriksson
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: den 2 januari 2017 09:15
To: Eriksson Fabian
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Brute force detector extension
You can implement a custom provider for the brute force protection that would do what you
want. It wouldn't be configurable through the admin console though.
I don't see why we couldn't add it as an option to the built-in provider though
so if you are happy to send a PR for it including tests we could accept it into 3.x.
On 21 December 2016 at 11:24, Eriksson Fabian
<fabian.eriksson@gi-de.com<mailto:fabian.eriksson@gi-de.com>> wrote:
Hi all!
We would like to have ability to configure the brute force detector so it can disable a
user account after X failed attempts completely and not only lock him/her out for a period
of time (setting the lockout-time to a few years is not enough). In the end we would like
the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for
different realms. I guess this would also require the detector to reset the
failed-login-attempts count on a successful login.
Does this sound interesting and could this then be something that we could contribute
with to KeyCloak?
Or is there a way to substitute the already existing brute force detector?
Thanks in advance!
Fabian Eriksson
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
1:30 a.m.
+1 You've already explained it on the mailing list and we've commented so
it safe to continue with a PR without worrying that we'll reject your work
On 11 January 2017 at 19:18, Bruno Oliveira <bruno(a)abstractj.org> wrote:
I believe the best is to create Jira as a feature request. And later
you
can attach your PR to that.
On 2017-01-11, Eriksson Fabian wrote:
> Do you want me to create a new feature request through the dev mailing
list or could I immediately create a Jira-ticket?
>
> Best regards
> Fabian Eriksson
>
> From: Stian Thorgersen [mailto:sthorger@redhat.com]
> Sent: den 2 januari 2017 09:15
> To: Eriksson Fabian
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Brute force detector extension
>
> You can implement a custom provider for the brute force protection that
would do what you want. It wouldn't be configurable through the admin
console though.
>
> I don't see why we couldn't add it as an option to the built-in provider
though so if you are happy to send a PR for it including tests we could
accept it into 3.x.
>
> On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson(a)gi-de.com
<mailto:fabian.eriksson@gi-de.com>> wrote:
> Hi all!
>
> We would like to have ability to configure the brute force detector so
it can disable a user account after X failed attempts completely and not
only lock him/her out for a period of time (setting the lockout-time to a
few years is not enough). In the end we would like the admins of KeyCloak
to be able to set a timed lockout-period or set a permanent one for
different realms. I guess this would also require the detector to reset the
failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we
could contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force
detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
2908
days inactive
2931
days old
4 comments
3 participants
participants (3)
-
Bruno Oliveira -
Eriksson Fabian -
Stian Thorgersen