Hi Team,
Trying with correct username and wrong password.
Failure count reaches Max login failures, user account will be locked temporarily for X minutes.
If try login using Keycloak login page(uses - Browser flow), failure count is not incrementing for X minutes during user is temporarily locked.
But if I try to authenticate an API(uses -Direct Grant flow), failure count is incrementing every attempt even user is temporarily locked.
(API example. /realms/{{realm}}/protocol/openid-connect/token)
MaxLoginFailures: 5
incrementWait: 5 mins
MaxWait:15 mins
Continuous invalid password attempt: 20
failureCount(when using login page): 5
failureCount(when using API): 20
I am using keycloak 13.0.1.
Is that expected behavior from keycloak or it’s an issue?
If its an issue, can you suggest below way of solving problem is the right way?
Write an custom SPI for DefaultBruteForceProtector, override the failure method and verify user is isTemporarilyDisabled then return else call the failure method DefaultBruteForceProtector.
Thanks & Regards,
Rajkumar