[keycloak-user] Brute Force Detection - Get status of a username in brute force detection

Andrej Prievalsky ado.boj.83 at gmail.com
Fri Mar 18 09:55:45 EDT 2016


I have question concerning your REST_API:
GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
In 1.9.1..Final my setting per realm Demo looks like:

[image: Inline image 1]

I have noticed with this endpoint:

- 1.) when user is not created the answer for this REST is same like for
created user with 0 numFailures:
   "numFailures": 0,
   "disabled": false,
   "lastIPFailure": "n/a",
   "lastFailure": 0

- 2.) when Max Login Failures is set to 3 and I put 2 times incorrect
password and 3rd time correct password numFailures is not reset by Keycloak:
  "numFailures": 2,
  "disabled": false,

Are this 2 cases correct from your point of view?

Thanks and Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b78b7a9d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 46216 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b78b7a9d/attachment-0001.png 

More information about the keycloak-user mailing list