Brute Force Detection

Hi Team,

We start using Keycloak as Identity and access management for our new project design and enabled Brute Force Detection for my newly created Realm.

It’s working, but in my use-case, I have to notify my user they have to wait another 30min to try login again since they have reached Max Login Failure. But I got ‘invalid_grant’ as error same message whenever I try with the wrong / correct password after max failure reached.

“error”: “invalid_grant”,
“error_description”: “Invalid user credentials”

How do I different the response message to notify my users?

Hi, it is best practice to not provide any useful information in case of a failed login to the user.
I think thats what they implement.
On the other hand, if an account is locked temporarily, there is clearly value to inform the user about a reason.
One option would be to catch the login (failed) event on the server and notify the user via email. Email would be a different channel and not provide details to the hacker / bot, but on the other hand inform the user and provide him with actions.
I’d recommend to create a feature request for this - I believe it should be there as an option to allow the user to know “come back later”. Another solution would be to request a captcha or similar to keep the bad ones out.

How do we create a new feature request?

See here: