We start using Keycloak as Identity and access management for our new project design and enabled Brute Force Detection for my newly created Realm.
It’s working, but in my use-case, I have to notify my user they have to wait another 30min to try login again since they have reached Max Login Failure. But I got ‘invalid_grant’ as error same message whenever I try with the wrong / correct password after max failure reached.
{
“error”: “invalid_grant”,
“error_description”: “Invalid user credentials”
}
How do I different the response message to notify my users?
Hi, it is best practice to not provide any useful information in case of a failed login to the user.
I think thats what they implement.
On the other hand, if an account is locked temporarily, there is clearly value to inform the user about a reason.
One option would be to catch the login (failed) event on the server and notify the user via email. Email would be a different channel and not provide details to the hacker / bot, but on the other hand inform the user and provide him with actions.
I’d recommend to create a feature request for this - I believe it should be there as an option to allow the user to know “come back later”. Another solution would be to request a captcha or similar to keep the bad ones out.