Hi
when a user enters a wrong user name or password we get an error “Unauthorized - Invalid user credentials”
which makes sense.
but in our configuration after 5 attempts the user is locked
when we send another login with bad credentials we still get “Unauthorized - Invalid user credentials”, BUT we have no way to know that the user is locked at this point
someone already asked this 5 years ago in this SOF post
but I don’t get the answer he received.
for example, one option is to send:
GET /{realm}/attack-detection/brute-force/users/{userId}
but I have 2 problems with this approach:
- I don’t have the userId. I have the user name
- in order to invoke this endpoint I need to be authenticated - which is a paradox since I’m handling with a failed login attempt
is there no other way to understand that a user is locked?