0

We start using Keycloak as Identity and access management for our new project design and enabled Brute Force Detection for my newly created Realm.

It’s working, but in my use-case, I have to notify my user they have to wait another 30min to try login again since they have reached Max Login Failure. But I got ‘invalid_grant’ as error same message whenever I try with the wrong / correct password after max failure reached.

{ "error": "invalid_grant", "error_description": "Invalid user credentials" }

How do I different the response message to notify my users?

Mohankumar D
  • 63
  • 1
  • 2
  • 8

1 Answers1

0

You need to use customized Direct Grant Authenticator implementation. Start from here:

Server development docs

default authenticator implementation

But before diving into customization i suggest you to thoroughly analyze your requirements. Responding with "account is locked" at least gives me information that i've successfully guessed username, and now i can proceed with attacking specified account. From my point of view it's way better to asynchronously notify (e.g. via email or SMS) user about possible BF attack on his account.

solveMe
  • 1,866
  • 1
  • 18
  • 20