When Brute Force Detection in enabled the login failure count is not resetting after successful login. As per the Permanent Lockout Algorithm described in keycloak documentation, the failure count should reset on successful login. It is described as follows in the documentation,
1) On successful login 1. Reset count 2) On failed login 1. Increment count 2. If count greater than Max Login Failures 1. Permanently disable user 3. Else if time between this failure and the last failure is less than Quick Login Check Milli Seconds 1.Temporarily disable user for Minimum Quick Login Wait When a user is disabled they can not login until an administrator enables the user; enabling an account resets count.
Can someone comment on this? Is it a bug or expected behaviour? Any help will be appreciated.