Keycloak Custom message on user temporary lock

I am using Kyecloak:12.0.4, and have enabled Brute force attack for my realm. Now whenever user provides wrong credentials for 3 times user will be locked temporarily.

But still user will see “Invalid username/password”.

But still i want to show user that his account has been locked.

Is there any way to customize this message?

I tried doing this by adding message in custom keycloak theme as below:

location: themes\adminlte\login\messages\messages_en.properties

accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.

Anyone has resolved the above said issue ?
I would like to send an email to the user saying “your account is locked, try after 15 mins” . How can I implement it ?

Thanks,
Kabi

Seems a bug in Keycloak backend. I fixed it and refer the workaround below,
Step 1:
Download Keycloak backend source code from Tags · keycloak/keycloak · GitHub (make sure to download your server version)

Step 2:
Make changes on two methods in org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator class in services module,

protected Response challenge(AuthenticationFlowContext context, String error) {
        LoginFormsProvider form = context.form()
                .setExecution(context.getExecution().getId());

        if (error != null) {
            if(error == Messages.ACCOUNT_TEMPORARILY_DISABLED){
                form.setError(error, context.getRealm().getWaitIncrementSeconds() / 60);
            } else {
                form.setError(error);
            }
        }
        return createLoginForm(form);
    }
    protected String tempDisabledError() {
        return Messages.ACCOUNT_TEMPORARILY_DISABLED;
    }

Step 3:
Compile the …/service module and replace the keycloak-services-<>.jar file in server location (.\keycloak-<>\modules\system\layers\keycloak\org\keycloak\keycloak-services\main)

Step 4:
Restart the Keycloak service
(E.g. C:\dev\opt\sso\keycloak-8.0.1\bin\standalone.bat -Djboss.socket.binding.port-offset=100)

Step 5:
Change the message accountTemporarilyDisabledMessage base on your requirement in theme location, themes\adminlte\login\messages\messages_en.properties

Message should be like this,
accountTemporarilyDisabledMessage=Your account is locked due to the multiple invalid login attempts, Please try after {0} mins.

Note: You can cnage the maximum login attempts and Max wating time via Keycloak admin console path,
Realm Settings >> Security Defenses >> Brute Force Detections
Parameters: Max Login Failures and Wait Increment

This works for me.

Enjoy Keycloak :slight_smile:
-Nandika

2 Likes

Hi @Nandika, that’s amazing that you found a bug and solved it by yourself.

Is this bug already registered on Keycloak issue tracker?

Would you mind to create a PR to fix this issue to anyone else in the next release? And also be praised for your contribution :slight_smile: ?

Thank you

Thanks @erickmoreno

Refer to one of the related tickets https://issues.redhat.com/browse/KEYCLOAK-8013

But the Keycloak default intention does not tally with the actual user requirements :slight_smile:

Hi @Nandika
Thank You for this answer. This is very helpful.

I would like to build and run the modified keycloak source code locally. Do you have any steps or links on how to set up a local build/run/test env? Asking as the code base is little complex. Looking at the pom.xml, I am not finding the standard pattern of building a keycloak war file and running directly on an app server like tomcat or jboss.

Thanks in advance