[keycloak-dev] Rate Limiting Logins
sthorger at redhat.com
Mon Sep 5 02:42:20 EDT 2016
The brute force protection is there only to prevent guessing the password
through a brute force attack. It's not there to stop DOS attacks. We don't
have any rate limiting at the moment and I believe that's something that
would be better introduced with a firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client that
invokes the direct grant login could have thousands of legitimate users. I
don't think a simple implementation would be much value and not replace a
full fledged firewall.
What did you have in mind with regards to requirements? Ability to
configure max number of requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date ranges
which should prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder <csnyder at iland.com> wrote:
> Hey guys,
> We ran into an issue recently where a customer didn’t have a great
> understanding of the OAuth2 authorization process and was submitting many
> direct grant login requests per second. They were successfully
> authenticating each time, so the brute force protection features don’t
> apply. It basically ended up being a DOS issue. We also ended up having OOM
> issues when trying to query the events for this customer during a scheduled
> job that we use to build reports on login events. We’re still running 1.8.2
> at the moment, so I’m wondering if you guys have implemented any kind of
> rate limiting / DOS prevention that could have prevented this in one of the
> later releases? If not, I'm proposing that it might be worth considering, I
> could try to contribute something if you like. What do you guys think?
> Cory Snyder
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-dev