Does Identity Server 4 supports suspension of accounts after a number of failed login attempts?
I know there are better ways of dealing with failed login attempts, like asking the user for more forms of identification when they eventually successfully log in. But is it easy enough to extend Identity Server 4 to suspend accounts after x amounts of failed logins, by IP address, etc.?
IdentityServer does not support user lockout by default. You can setup ASP.NET Identity to handle that for you. In fact IdentityServer has a sample integration with ASP.NET Identity. You can setup user lockout in the Identity options in the ConfigureServices method.
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromDays(1);
options.Lockout.MaxFailedAccessAttempts = 20;
});