[keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login
Marek Posolda
mposolda at redhat.com
Fri Oct 11 10:33:45 EDT 2019
I am not 100% sure about all the details of the Brute Force Detection.
However in case that user is already "temporarily disabled" or
"permanently disabled", then after successful login he will still be
disabled. If he is not already disabled before successful login, then
the successful login should reset the failure count.
Marek
On 11. 10. 19 9:26, Vishnu Prakash wrote:
> *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But the
> login failure count is not resetting after successful login. As per the
> Permanent Lockout Algorithm described in keycloak documentation, the
> failure count should reset on successful login. It is described as follows
> in the documentation, 1. On successful login1. Reset count2. On failed
> login1. Increment count2. If count greater than Max Login Failures1.
> Permanently disable user3. Else if time between this failure and the last
> failure is less than Quick Login Check Milli Seconds1. Temporarily disable
> user for Minimum Quick Login WaitWhen a user is disabled they can not login
> until an administrator enables the user; enabling an account resets
> count.Can someone comment on this? Is it a bug or expected behaviour? Any
> help will be appreciated.Thanks & Regards,Vishnu Prakash*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list