[keycloak-user] Brute Force Detection issue: login failure count not resetting after successful login

Mario Imber keycloak-user at imber.wien
Mon Oct 28 04:08:37 EDT 2019 

Hi,

also note that there's a known issue of the brute force counter not 
being reset when using password grant:
https://issues.jboss.org/browse/KEYCLOAK-8732

I mentioned a workaround using a custom event handler in the ticket, too.

Regards,
Mario.


Am 16.10.2019 um 19:56 schrieb Vishnu Prakash:
> Hi Marek,
> Sorry for the late reply.
> I have tested the scenario in detail. Problem is happening only in case the
> user's email id is not verified.
> If it is already verified, then the failure count is resetting properly
> after successful login.
> 
> Thanks & Regards,
> Vishnu Prakash
> 
> On Tue, Oct 15, 2019 at 1:17 PM Marek Posolda <mposolda at redhat.com> wrote:
> 
>> Hello,
>>
>> I am not sure if there is any bug as I am not sure what exactly happens in
>> your environment? I mentioned in previous email that in case that user is
>> already "temporarily disabled" or "permanently disabled", then after
>> successful login, the user will still remain disabled and failure count
>> won't be restarted. IMO there is a bug just in case that failure count
>> wasn't restarted after successful login assuming that user wasn't already
>> disabled *before* this successful login.
>>
>> If you mention that failure wasn't restarted after successful login, are
>> you sure that user wasn't already disabled?
>>
>> Thanks,
>> Marel
>>
>> On 14. 10. 19 5:44, Vishnu Prakash wrote:
>>
>> Hi marek,
>> Thanks for your reply. Can I report this as a bug in keycloak. Is there
>> any chance that this will get fixed soon.
>>
>> Thanks and Regards,
>> Vishnu Prakash
>>
>> On Fri, 11 Oct 2019, 8:03 pm Marek Posolda, <mposolda at redhat.com> wrote:
>>
>>> I am not 100% sure about all the details of the Brute Force Detection.
>>> However in case that user is already "temporarily disabled" or
>>> "permanently disabled", then after successful login he will still be
>>> disabled. If he is not already disabled before successful login, then
>>> the successful login should reset the failure count.
>>>
>>> Marek
>>>
>>> On 11. 10. 19 9:26, Vishnu Prakash wrote:
>>>> *Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But
>>> the
>>>> login failure count is not resetting after successful login. As per the
>>>> Permanent Lockout Algorithm described in keycloak documentation, the
>>>> failure count should reset on successful login. It is described as
>>> follows
>>>> in the documentation, 1. On successful login1. Reset count2. On failed
>>>> login1. Increment count2. If count greater than Max Login Failures1.
>>>> Permanently disable user3. Else if time between this failure and the
>>> last
>>>> failure is less than Quick Login Check Milli Seconds1. Temporarily
>>> disable
>>>> user for Minimum Quick Login WaitWhen a user is disabled they can not
>>> login
>>>> until an administrator enables the user; enabling an account resets
>>>> count.Can someone comment on this? Is it a bug or expected behaviour?
>>> Any
>>>> help will be appreciated.Thanks & Regards,Vishnu Prakash*
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list