Unlock account on password reset


Is there any possibility to unlock account in Keycloak using password reset link?
If no, will this be implemented in the future?


If i get you right, you want that a user who resets the password is also being unlocked?
In my opinion the code is always implemented to check first if an account is locked and then cancel all kinds of self-service action.
So the general implementation nature is just vice versa to your expectation.

Also, be aware that the bruteforce-protection module has an option to lock an account in case of many login tries. So your approach would conflict.

In general, i would recommend to have such an option only in conjunction with additional security mechanisms like security questions (which are only delivered as a sample).

Technically Keycloak has all apis and spis that are required to build this. To request a feature I believe its best to look after the keycloak jira, open an issue and possibly also deliver some implementation.

Hi vju42,

Thanks for your answer. I will try to clarify what I need.

I am using 8.0.1 Keycloak version.
I have enabled brute force protection, with 30 minutes timeout after 5 failed login attempts.

Now when my user is temporarily locked by 6 or more login attempts, I want to be able to unlock my user account by reseting my password.
This is odd but when I successfully reset my password my account is still locked but I can login once. When I log out I can not log in again.
Probably this bug occures: https://issues.redhat.com/browse/KEYCLOAK-13054
It is fixed in 9.0.2 version.

But I am really confused because official documentation does not say anything about it and there are two Keycloak issues:
and KEYCLOAK-5513

One says that account should not be unlocked in this case because it is a security threat, and second: “A user that is temporarily disabled due to failed login attempts is able to reset the password if password reset is enabled. This is the expected behaviour.”

Now I am not sure what is the expected behavior. It would be really great if someone would clarify this flow for me.

Many Thanks

I am also stuck on this issue,

Scenario I tested below,

The user is in a temporarily blocked state after few failed login attempts.
But user can access the system when he changed the password using the change password option. this is only working for the normal user. not for the users who enabled MFA (OTP).

For none MFA users,
User status is temporarily blocked even after he changed the password.

MFA enabled users can not change the password and always return the error at OTP verification (Invalid code)
How to fix this ?