[keycloak-user] Brute force detector extension

Stian Thorgersen sthorger at redhat.com
Mon Jan 2 03:15:23 EST 2017


You can implement a custom provider for the brute force protection that
would do what you want. It wouldn't be configurable through the admin
console though.

I don't see why we couldn't add it as an option to the built-in provider
though so if you are happy to send a PR for it including tests we could
accept it into 3.x.

On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com>
wrote:

> Hi all!
>
> We would like to have ability to configure the brute force detector so it
> can disable a user account after X failed attempts completely and not only
> lock him/her out for a period of time (setting the lockout-time to a few
> years is not enough). In the end we would like the admins of KeyCloak to be
> able to set a timed lockout-period or set a permanent one for different
> realms. I guess this would also require the detector to reset the
> failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we could
> contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list