[keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login

Marek Posolda mposolda at redhat.com
Tue Oct 15 03:47:27 EDT 2019 

Hello,

I am not sure if there is any bug as I am not sure what exactly happens 
in your environment? I mentioned in previous email that in case that 
user is already "temporarily disabled" or "permanently disabled", then 
after successful login, the user will still remain disabled and failure 
count won't be restarted. IMO there is a bug just in case that failure 
count wasn't restarted after successful login assuming that user wasn't 
already disabled *before* this successful login.

If you mention that failure wasn't restarted after successful login, are 
you sure that user wasn't already disabled?

Thanks,
Marel

On 14. 10. 19 5:44, Vishnu Prakash wrote:
> Hi marek,
> Thanks for your reply. Can I report this as a bug in keycloak. Is 
> there any chance that this will get fixed soon.
>
> Thanks and Regards,
> Vishnu Prakash
>
> On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I am not 100% sure about all the details of the Brute Force
>     Detection.
>     However in case that user is already "temporarily disabled" or
>     "permanently disabled", then after successful login he will still be
>     disabled. If he is not already disabled before successful login, then
>     the successful login should reset the failure count.
>
>     Marek
>
>     On 11. 10. 19 9:26, Vishnu Prakash wrote:
>     > *Hi Keycloak team,I have enabled Brute Force Detection in
>     Keycloak. But the
>     > login failure count is not resetting after successful login. As
>     per the
>     > Permanent Lockout Algorithm described in keycloak documentation, the
>     > failure count should reset on successful login. It is described
>     as follows
>     > in the documentation, 1. On successful login1. Reset count2. On
>     failed
>     > login1. Increment count2. If count greater than Max Login Failures1.
>     > Permanently disable user3. Else if time between this failure and
>     the last
>     > failure is less than Quick Login Check Milli Seconds1.
>     Temporarily disable
>     > user for Minimum Quick Login WaitWhen a user is disabled they
>     can not login
>     > until an administrator enables the user; enabling an account resets
>     > count.Can someone comment on this? Is it a bug or expected
>     behaviour? Any
>     > help will be appreciated.Thanks & Regards,Vishnu Prakash*
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list