[keycloak-user] How to differentiate between invalid credentials and a blocked user?
Scott Finlay
scott.finlay at sixt.com
Tue Feb 20 05:08:13 EST 2018
Hi,
When using the Brute Force Detection it seems if a user is blocked the error message returned by the
Keycloak API is "invalid_grant: Invalid user credentials" which is the same error message returned
if the password was wrong. I understand the idea here is to prevent an attacker from knowing the difference
but from a usability perspective it would be much nicer if we could somehow inform the user if his account
is currently locked. Is there any reasonable way to do this? I'd rather not have to make an additional
API call after every failed login attempt to see if the user is blocked.
Regards,
Scott
More information about the keycloak-user
mailing list