Deny acces after 3 attempts


Its possible configure keycloak to deny acces to an user on LDAP server after 3 attempts failed ?
if yes, how ?
best regards,

Hi, can you elaborate on the scenario you are aiming to solve?

…deny access to a user on LDAP…

Can’t users to authenticate directly on directory server? Just to make sure your target is to deny users access to applications configured in a realm, in Keycloak, based on the number of failure attempts.

Those attempts your are mentioning would be valid over any period (e.g. days?) - and across all clients within your realm? How do you expect a user to recover his access from this scenario?

Keycloak already handles some brute force attacks scenarios (for a short time between attempts). There are better alternatives, as tools that inspect audit trails and are used by firewalls to temporarily block requests coming from specific IPs.

In the field of possibilities - in addition to many Keycloak features, you can pretty much provide any custom logic you want with your own Authentication SPI.

For instance, you could override authentication validation method and: check a lock record related to a username; attempt to authenticate the user in LDAP and keep track of failed attempts (consider the possibility of broken connections between IDP and your Directory service); create/clear lock records accordingly etc. But that may be an overkill for what you are trying to solve.

Best regards,

Hi Ivillaca,
Thank you for your Reply,
currently, keycloak is interfaced with LDAP,
I want to block the user for 24 hours after the third failed attempt, we already have the password recovery procedure, if the user still fails after 24 hours I want to block him permanently, and the last thing I want to see the attempt counter in the response body,
i send you the printscreen of my POST response,
Keycloak can give me all of that ?

thank you again,