[keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login
Zhao, Edwin (NSB - CN/Beijing)
edwin.zhao at nokia-sbell.com
Wed Aug 9 10:41:14 EDT 2017
Is there any suggestion?
Should I create a bug fix Jira ticket?
From: Zhao, Edwin (NSB - CN/Beijing)
Sent: Friday, August 04, 2017 10:45 PM
To: 'keycloak-dev-bounces at lists.jboss.org'; keycloak-user at lists.jboss.org
Subject: Brute Force Detection issue: wrong password attempt counter not reset with successful login
Hi Keycloak team,
Many of our products would like to use keycloak for SSO, and with brute force detection function enabled.
But they all want password failure counter can be reset after a correct password is entered.
I saw 2 related tickets had once been created before, but product teams here in Nokia A&A organization still want the counter be reset after successful login.
https://issues.jboss.org/browse/KEYCLOAK-2692
https://issues.jboss.org/browse/KEYCLOAK-3046
We once again raise this request, please help to provide the enhancement.
Thanks,
Edwin
----------------------------------------------
Reproduce:
Enable Brute Force Detection on the realm
Set Max Login Failures to 3 (or any other number) on a user
Attempt to log in to Keycloak with the user try invalid password 2 times
Attempt to log in to Keycloak with the user with correct password (should succeed)
Log out
Attempt to log in to Keycloak with the user try invalid password 1 times
Attempt to log in to Keycloak with the user with correct password (should succeed, but fails)
Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out).
More information about the keycloak-user
mailing list