[keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login

Zhao, Edwin (NSB - CN/Beijing) edwin.zhao at nokia-sbell.com
Fri Aug 4 12:31:18 EDT 2017


Hi Keycloak team,
This is Edwin from Nokia A&A organization. We want a change on brute force detection, to reset the password failure counter after a successful login
I saw 2 related tickets had once been created for this before
https://issues.jboss.org/browse/KEYCLOAK-2692
https://issues.jboss.org/browse/KEYCLOAK-3046

We understand the potential risk, but many of our products still want this change to enhance user experiences.
So we are once again raising this request, please help to provide the enhancement.
Please let me know if I need to create a JIRA ticket

Thanks,
Edwin
----------------------------------------------
Reproduce:
Enable Brute Force Detection on the realm
Set Max Login Failures to 3 (or any other number) on a user
Attempt to log in to Keycloak with the user try invalid password 2 times
Attempt to log in to Keycloak with the user with correct password (should succeed)
Log out
Attempt to log in to Keycloak with the user try invalid password 1 times
Attempt to log in to Keycloak with the user with correct password (should succeed, but fails)
Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out).




More information about the keycloak-user mailing list