[keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login
Vishnu Prakash
vishnuprakash323 at gmail.com
Sun Oct 13 23:44:36 EDT 2019
Hi marek,
Thanks for your reply. Can I report this as a bug in keycloak. Is there any
chance that this will get fixed soon.
Thanks and Regards,
Vishnu Prakash
On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda at redhat.com> wrote:
> I am not 100% sure about all the details of the Brute Force Detection.
> However in case that user is already "temporarily disabled" or
> "permanently disabled", then after successful login he will still be
> disabled. If he is not already disabled before successful login, then
> the successful login should reset the failure count.
>
> Marek
>
> On 11. 10. 19 9:26, Vishnu Prakash wrote:
> > *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But
> the
> > login failure count is not resetting after successful login. As per the
> > Permanent Lockout Algorithm described in keycloak documentation, the
> > failure count should reset on successful login. It is described as
> follows
> > in the documentation, 1. On successful login1. Reset count2. On failed
> > login1. Increment count2. If count greater than Max Login Failures1.
> > Permanently disable user3. Else if time between this failure and the last
> > failure is less than Quick Login Check Milli Seconds1. Temporarily
> disable
> > user for Minimum Quick Login WaitWhen a user is disabled they can not
> login
> > until an administrator enables the user; enabling an account resets
> > count.Can someone comment on this? Is it a bug or expected behaviour? Any
> > help will be appreciated.Thanks & Regards,Vishnu Prakash*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list