Keycloak: Temporary and permanent lockout of user

Question

I need to "implement" the following flow in keycloak as idp:

1. The user has 3 failure logins
2. The user should be temporary locked for 5 minutes
3. The user has 3 failure logins again
4. The user should be temporary locked for 5 minutes again
5. The user has 3 failure logins again
6. The user should be locked permanent
7. The user should receive an e-mail that he's locked permanent.

I saw the Brute Force detection under Authentication in Keycloak. But my scenario adress both the temporary and permanent lockout.

Do you have any idea about a possible approach to address this requirement?

Answer 1

Keycloack has only one implementation of BruteForceProtector in the box: DefaultBruteForceProtector

You can implement your own provider:

Keycloak is designed to cover most use-cases without requiring custom code, but we also want it to be customizable. To achieve this Keycloak has a number of Service Provider Interfaces (SPI) for which you can implement your own providers.