Is there any suggestion?
Should I create a bug fix Jira ticket?
From: Zhao, Edwin (NSB - CN/Beijing)
Sent: Friday, August 04, 2017 10:45 PM
To: 'keycloak-dev-bounces(a)lists.jboss.org'; keycloak-user(a)lists.jboss.org
Subject: Brute Force Detection issue: wrong password attempt counter not reset with
successful login
Hi Keycloak team,
Many of our products would like to use keycloak for SSO, and with brute force detection
function enabled.
But they all want password failure counter can be reset after a correct password is
entered.
I saw 2 related tickets had once been created before, but product teams here in Nokia
A&A organization still want the counter be reset after successful login.
https://issues.jboss.org/browse/KEYCLOAK-2692
https://issues.jboss.org/browse/KEYCLOAK-3046
We once again raise this request, please help to provide the enhancement.
Thanks,
Edwin
----------------------------------------------
Reproduce:
Enable Brute Force Detection on the realm
Set Max Login Failures to 3 (or any other number) on a user
Attempt to log in to Keycloak with the user try invalid password 2 times
Attempt to log in to Keycloak with the user with correct password (should succeed)
Log out
Attempt to log in to Keycloak with the user try invalid password 1 times
Attempt to log in to Keycloak with the user with correct password (should succeed, but
fails)
Verify by loggin in with Administrator to Keycloak and check the user status (will be
locked out).