2:27 p.m.
Our current functionality is that if the user provides wrong password for 5
times or more then we want to display on the login page itself that the
user is locked out and they have to reset the password (User is Locked
until they reset password) I am trying to achieve the same functionality in
KeyCloak. Is it possible?
And as of now the failed login attempts count is in our Database and I want
to make Brute Force Detection to be based on the failed login attempts from
my database and update the failed login attempts to my DB, basically
combining Brute Force Detection and Custom UserStorageProvider to achieve
both the functionalities?
Thanks,
Deepu
3:29 a.m.
On 2017-01-13, Deepu Laghuvaram wrote:
Our current functionality is that if the user provides wrong password
for 5
times or more then we want to display on the login page itself that the
user is locked out and they have to reset the password (User is Locked
until they reset password) I am trying to achieve the same functionality in
KeyCloak. Is it possible?
I don't think it's possible today. By doing that you would be creating a
loophole for login. If you displaythat user is locked out,
attackers could verify that such user exists. See User enumeration
details[1].
And as of now the failed login attempts count is in our Database and I want
to make Brute Force Detection to be based on the failed login attempts from
my database and update the failed login attempts to my DB, basically
combining Brute Force Detection and Custom UserStorageProvider to achieve
both the functionalities?
I never tried that and not sure if it's possible. But store failed
attempts into the database, depending on the volume of your requests,
can be a bit slow.
[1] -
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessabl...
Thanks,
Deepu
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
8:26 p.m.
I do agree with you on both the points, but in our current functionality we
display as such for locked user and I think we do show that user is
existing in registration as well. And we want to continue using it.
Appreciated if any solution is available.
And coming to storing failed login attempts in database, its solving two
issues, one is we would be following current approach itself (where we
store them in database) and second is the failed login attempts would not
be lost on server restarts. As per this
<http://lists.jboss.org/pipermail/keycloak-user/2015-December/004000.html>;,
"You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart." But I dont know
how to increase the number of owners for cache and as per me I thought
persisting the attempts would be the better solution.
Thanks,
Raghu
On Mon, Jan 16, 2017 at 4:29 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
On 2017-01-13, Deepu Laghuvaram wrote:
> Our current functionality is that if the user provides wrong password
for 5
> times or more then we want to display on the login page itself that the
> user is locked out and they have to reset the password (User is Locked
> until they reset password) I am trying to achieve the same functionality
in
> KeyCloak. Is it possible?
I don't think it's possible today. By doing that you would be creating a
loophole for login. If you displaythat user is locked out,
attackers could verify that such user exists. See User enumeration
details[1].
>
> And as of now the failed login attempts count is in our Database and I
want
> to make Brute Force Detection to be based on the failed login attempts
from
> my database and update the failed login attempts to my DB, basically
> combining Brute Force Detection and Custom UserStorageProvider to achieve
> both the functionalities?
I never tried that and not sure if it's possible. But store failed
attempts into the database, depending on the volume of your requests,
can be a bit slow.
[1] - https://www.owasp.org/index.php/Testing_for_User_
Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
>
>
> Thanks,
> Deepu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
2900
days inactive
2904
days old
2 comments
2 participants
participants (2)
-
Bruno Oliveira -
Deepu Laghuvaram