2

I am using Kyecloak:4.8.0, and have enabled Brute force attack for my realm. Now whenever user provides wrong credentials for 3 times user will be locked temporarily.

But still user will see "Invalid username/password".

According to this thread Keycloak have done this intentionally: https://issues.jboss.org/browse/KEYCLOAK-5284

But still i want to show user that his account has been locked.

Is there any way to customize this message?

I tried doing this by adding message in custom keycloak theme as below:

location: themes\adminlte\login\messages\messages_en.properties

accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.

This change is not working.

James Z
  • 12,209
  • 10
  • 24
  • 44
Sarang
  • 547
  • 8
  • 20
  • 5
    If you do this, a smart brute force detection can find all email addresses available in your system by just temporarily locking them. This is why the lock message is intentionally not added – Marcel May 13 '20 at 12:56
  • Yes @Marcel I understand. Thank You :) – Sarang May 19 '20 at 06:35
  • Regarding @Marcel 's comment, here is a source confirming it is intentional. https://issues.redhat.com/browse/KEYCLOAK-8013 – DarkMikey Jan 17 '22 at 16:43

1 Answers1

7

After going through Keycloak base code what i found is: Keycloak uses Messages.INVALID_USER (invalidUserMessage) from properties which is written in AbstractFormAuthenticator class.

This class is at the end extended by UsernamePasswordForm now to change this to custom message i Wrote Custom Authenticator (Keycloak SPI) like below

public class CustomUsernameFormAuthenticator extends UsernamePasswordForm {

    @Override
    protected String tempDisabledError() {
        return Messages.ACCOUNT_TEMPORARILY_DISABLED;
    }
}

After this deploy spi Jar in keycloak and enable it in your realm. And we are done :)

Sarang
  • 547
  • 8
  • 20