Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19773

BFD and Direct Grant - inconsistent number of failures

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Done
    • 15.0.2
    • 15.1.0
    • Authentication
    • Hide

      1. Brute force detection is turned on and configured on the realm
       
      2. Testing the BFD algorithm through browser gives expected results: The account is (temporary) locked after configured number of (re)tries and the flow correctly detects when the account is locked.
       
      3. When bad password is detected in  AbstractUsernameFormAuthenticator - context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); is returned to the user and when the locked account is detected  context.forceChallenge(challengeResponse); is returned to the user.
      The difference between these two in DefaultAuthenticationFlow is that "failure" triggers the processor.logFailure(); which increments the BFD counter, and "force" don't.
       
      4. The behavior with direct grant is different as the number of failures increases when the account is temporary locked. 

      Show
      1. Brute force detection is turned on and configured on the realm   2. Testing the BFD algorithm through browser gives expected results: The account is (temporary) locked after configured number of (re)tries and the flow correctly detects when the account is locked.   3. When bad password is detected in  AbstractUsernameFormAuthenticator - context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); is returned to the user and when the locked account is detected  context.forceChallenge(challengeResponse); is returned to the user. The difference between these two in DefaultAuthenticationFlow is that "failure" triggers the processor.logFailure(); which increments the BFD counter, and "force" don't.   4. The behavior with direct grant is different as the number of failures increases when the account is temporary locked. 
    • NEW
    • NEW
    • ---
    • ---

    Description

      Number of failures for BFD is incremented in Direct Grant (ValidateUsername) even the user is temporary disabled.

      Related description: https://groups.google.com/g/keycloak-dev/c/CUrzhGL_uog

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              nh_netset Nemanja Hirsl
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: