Brute Force Detection failure count increments - Browser vs Direct grant authentication flow

Hi Team,

Trying with correct username and wrong password.
Failure count reaches Max login failures, user account will be locked temporarily for X minutes.

If try login using Keycloak login page(uses - Browser flow), failure count is not incrementing for X minutes during user is temporarily locked.

But if I try to authenticate an API(uses -Direct Grant flow), failure count is incrementing every attempt even user is temporarily locked.
(API example. /realms/{{realm}}/protocol/openid-connect/token)

MaxLoginFailures: 5
incrementWait: 5 mins
MaxWait:15 mins

Continuous invalid password attempt: 20
failureCount(when using login page): 5
failureCount(when using API): 20

I am using keycloak 13.0.1.
Is that expected behavior from keycloak or it’s an issue?

If its an issue, can you suggest below way of solving problem is the right way?
Write an custom SPI for DefaultBruteForceProtector, override the failure method and verify user is isTemporarilyDisabled then return else call the failure method DefaultBruteForceProtector.

Thanks & Regards,

Its an issue and solved in [KEYCLOAK-19773] BFD and Direct Grant - inconsistent number of failures - Red Hat Issue Tracker