[keycloak-dev] Rate Limiting Logins

Cory Snyder csnyder at iland.com
Fri Sep 2 09:44:58 EDT 2016

Hey guys,

We ran into an issue recently where a customer didn’t have a great understanding of the OAuth2 authorization process and was submitting many direct grant login requests per second. They were successfully authenticating each time, so the brute force protection features don’t apply. It basically ended up being a DOS issue. We also ended up having OOM issues when trying to query the events for this customer during a scheduled job that we use to build reports on login events. We’re still running 1.8.2 at the moment, so I’m wondering if you guys have implemented any kind of rate limiting / DOS prevention that could have prevented this in one of the later releases? If not, I'm proposing that it might be worth considering, I could try to contribute something if you like. What do you guys think?


Cory Snyder

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160902/536f5748/attachment.html 

More information about the keycloak-dev mailing list