Brute Force Detection issue: login failure count not resetting after successful login

When Brute Force Detection in enabled the login failure count is not resetting after successful login. As per the Permanent Lockout Algorithm described in keycloak documentation, the failure count should reset on successful login. It is described as follows in the documentation,

1) On successful login
    1. Reset count
2) On failed login
    1. Increment count
    2. If count greater than Max Login Failures
        1. Permanently disable user
    3. Else if time between this failure and the last failure is less than Quick Login Check Milli    Seconds
        1.Temporarily disable user for Minimum Quick Login Wait
When a user is disabled they can not login until an administrator enables the user; enabling an account resets count.

Can someone comment on this? Is it a bug or expected behaviour? Any help will be appreciated.


I am observing the same thing in a custom SPI Brute Force Protector I am implementing for Keycloak 11.0.3. The successfulLogin(…) method of the BruteForceProtector Interface I implement never gets called.
Where you able to figure this out?

1 Like

Any new update here? Does we need a custom SPI to workaround