Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1862

Failure reset time is applied to Permanent Lockout [GHI#28821]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      The setting (or default value) for Failure Reset Time is applied to permanent lockout. In previous versions of Keycloak this setting was only applied to temporary lockout. This setting isn't configurable for Permanent Lockout.

      Version

      24

      Regression

      [ ] The issue is a regression

      Expected behavior

      The failure count for a given user is not reset after a time period when Brute Force with Permanent Lockout is configured.

      Actual behavior

      The failure count for a given user is reset after 12 hours (or whatever was previously configured for temporary lockout) when Brute Force with Permanent Lockout is configured.

      How to Reproduce?

      Enable Brute Force Protection for the realm.
      Select temporary lockout.
      Set Max Login Failures to 1.
      Set Failure Reset Time to 5 seconds.
      Save.
      Select Permanent Lockout and save.
      Try to login with invalid credentials.
      Wait at least 5 seconds.
      Try to login with invalid credentials.
      Check the stats of the user; it will not be Disabled.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: