-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
core
Describe the bug
The setting (or default value) for Failure Reset Time is applied to permanent lockout. In previous versions of Keycloak this setting was only applied to temporary lockout. This setting isn't configurable for Permanent Lockout.
Version
24
Regression
[ ] The issue is a regression
Expected behavior
The failure count for a given user is not reset after a time period when Brute Force with Permanent Lockout is configured.
Actual behavior
The failure count for a given user is reset after 12 hours (or whatever was previously configured for temporary lockout) when Brute Force with Permanent Lockout is configured.
How to Reproduce?
Enable Brute Force Protection for the realm.
Select temporary lockout.
Set Max Login Failures to 1.
Set Failure Reset Time to 5 seconds.
Save.
Select Permanent Lockout and save.
Try to login with invalid credentials.
Wait at least 5 seconds.
Try to login with invalid credentials.
Check the stats of the user; it will not be Disabled.
Anything else?
No response
- links to