Hi,
also note that there's a known issue of the brute force counter not
being reset when using password grant:
I mentioned a workaround using a custom event handler in the ticket, too.
Regards,
Mario.
Am 16.10.2019 um 19:56 schrieb Vishnu Prakash:
Hi Marek,
Sorry for the late reply.
I have tested the scenario in detail. Problem is happening only in case the
user's email id is not verified.
If it is already verified, then the failure count is resetting properly
after successful login.
Thanks & Regards,
Vishnu Prakash
On Tue, Oct 15, 2019 at 1:17 PM Marek Posolda <mposolda(a)redhat.com> wrote:
> Hello,
>
> I am not sure if there is any bug as I am not sure what exactly happens in
> your environment? I mentioned in previous email that in case that user is
> already "temporarily disabled" or "permanently disabled", then
after
> successful login, the user will still remain disabled and failure count
> won't be restarted. IMO there is a bug just in case that failure count
> wasn't restarted after successful login assuming that user wasn't already
> disabled *before* this successful login.
>
> If you mention that failure wasn't restarted after successful login, are
> you sure that user wasn't already disabled?
>
> Thanks,
> Marel
>
> On 14. 10. 19 5:44, Vishnu Prakash wrote:
>
> Hi marek,
> Thanks for your reply. Can I report this as a bug in keycloak. Is there
> any chance that this will get fixed soon.
>
> Thanks and Regards,
> Vishnu Prakash
>
> On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda(a)redhat.com> wrote:
>
>> I am not 100% sure about all the details of the Brute Force Detection.
>> However in case that user is already "temporarily disabled" or
>> "permanently disabled", then after successful login he will still be
>> disabled. If he is not already disabled before successful login, then
>> the successful login should reset the failure count.
>>
>> Marek
>>
>> On 11. 10. 19 9:26, Vishnu Prakash wrote:
>>> *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But
>> the
>>> login failure count is not resetting after successful login. As per the
>>> Permanent Lockout Algorithm described in keycloak documentation, the
>>> failure count should reset on successful login. It is described as
>> follows
>>> in the documentation, 1. On successful login1. Reset count2. On failed
>>> login1. Increment count2. If count greater than Max Login Failures1.
>>> Permanently disable user3. Else if time between this failure and the
>> last
>>> failure is less than Quick Login Check Milli Seconds1. Temporarily
>> disable
>>> user for Minimum Quick Login WaitWhen a user is disabled they can not
>> login
>>> until an administrator enables the user; enabling an account resets
>>> count.Can someone comment on this? Is it a bug or expected behaviour?
>> Any
>>> help will be appreciated.Thanks & Regards,Vishnu Prakash*
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user