While trying out the brute force protection in 15.0.2 we found out, that a temporary locked user will be locked out indefinite when the proper password is given again and again during the temporary lock timeout.
I investigated the code and may have found the reason. In AuthenticatorUtils#getDisabledByBruteForceEventError
it is checked if the user is temporary or permanently locked out, in which case an Errors.USER_TEMPORARILY_DISABLED
or Errors.USER_DISABLED
gets returned.
Those errors are stored to the login failure model in ValidateUsername
.
Finally, the temporary lock state of a user is determined by checking if the user has entries in the login failure model during the defined time span. The error type itself is not being taken into consideration.
So from my understanding, each login attempt during the temp/permant lock phase creates a login failure entry which in turn extends the period indefinite. I would suggest to filter out the USER_TEMPORARILY_DISABLED
and USER_DISABLED
or types from the result of MapUserLoginFailureProvider.getUserLoginFailure
.
Unfortunally JIRA seems broken to me as I cannot login to create an issue. So please have a look into Keycloak and JIRA.