[keycloak-user] Authentication failure logs at ERROR level

[Aikeaguinea]

I'm implementing a custom authenticator, and I'm noticing that whenever
I get an authentication failure I get a long exception in the log at
level ERROR as well as one at level WARN:


     19:08:16,592 WARN  [org.keycloak.events] (default task-7)
     type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account,
     userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,
     auth_method=openid-connect, auth_type=code,
     redirect_uri='http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect',
     code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19
     19:08:16,593 ERROR [org.keycloak.services] (default task-7)
     KC-SERVICES0013: failed authentication:
     org.keycloak.authentication.AuthenticationFlowException
	at
	org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207)
	at
	org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85)
	at
	org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756)
	at
	org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353)
	at
	org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335)
	at
	org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380)
        ...many more lines


This seems open to a DOS vulnerability that would fill up logs by
bombing the system with failed login attempts. In addition, logging the
failure at ERROR means that the only way to keep the second log entry
from showing up is to turn off all logging for org.keycloak.services. 

In my ideal world, we could set Keycloak so that login failures were
simply recorded as events but don't show up in the server log at all. Is
there a way to do that?

-- 
http://www.fastmail.com - A fast, anti-spam email service.