Brute Force Protection locks temporary locked users indefinite

While trying out the brute force protection in 15.0.2 we found out, that a temporary locked user will be locked out indefinite when the proper password is given again and again during the temporary lock timeout.

I investigated the code and may have found the reason. In AuthenticatorUtils#getDisabledByBruteForceEventError it is checked if the user is temporary or permanently locked out, in which case an Errors.USER_TEMPORARILY_DISABLED or Errors.USER_DISABLED gets returned.

Those errors are stored to the login failure model in ValidateUsername.

Finally, the temporary lock state of a user is determined by checking if the user has entries in the login failure model during the defined time span. The error type itself is not being taken into consideration.

So from my understanding, each login attempt during the temp/permant lock phase creates a login failure entry which in turn extends the period indefinite. I would suggest to filter out the USER_TEMPORARILY_DISABLED and USER_DISABLED or types from the result of MapUserLoginFailureProvider.getUserLoginFailure.

Unfortunally JIRA seems broken to me as I cannot login to create an issue. So please have a look into Keycloak and JIRA. :wink:

It looks like the problem was reported before in [KEYCLOAK-5420] Brute Force Detection Max Wait setting is not being honored - Red Hat Issue Tracker which was closed. But the behaviour is still (again?) there. There is another Ticket hidden in the history, but i cannot open it because it was either deleted or I have no permission.