Home > Enterprise >  Keycloak custom brute force detection
Keycloak custom brute force detection

Time:06-29

I am trying to figure out it is possible to create custom brute force detection in Keycloak? Logic that they have doesn't match requirements so I have to extend or create my own provider. For example what I need is after X failed login attempts, user should be blocked X minutes. After user get unlocked and again failed I want to specify Y time. In Keycloak currently it going to be the same X value for that user because they have some algorithm to calculate wait time: wait time * (countOfFailures / maxFailures) The division is an integer division rounded down to a whole number

and if i set 10 min max first 5 fails will be 10min fail, then on six one will be 20min.

CodePudding user response:

Keycloak has an SPI named org.keycloak.services.managers.BruteForceProtectorSpi that you can implement but it's in the server-spi-private module which means it supposed to be used only by the Keycloak itself and not for being extended. I have never tried to implement an SPI of that module. It may not work at all or even if you manage to make it work, the interface and the way it's used may change in future versions without any notice.

EDIT:

Remember if you're overwriting such a service provider (that Keycloak expect to have only one instance of it active at a time), you should define it in the WildFly configuration under keycloak subsystem (I don't know how to do it in the recent Quarkus versions, but you get the idea) and then set it as default provider. Here is what I did when I wanted to add a custom LocaleSelector provider:

<spi name="localeSelector">
    <default-provider>custom-locale-selector</default-provider>
    <provider name="customer-locale-selector" enabled="true">
        <properties>
            <property name="prop1" value="value1"/>
        </properties>
    </provider>
</spi>

CodePudding user response:

SOLUTION

I just created these classes:

  • CustomBruteForceProtector
  • CustomBruteForceProtectorFactory
  • CustomBruteForceProtectorSpi

Then specify them in: META-INF/services

  • org.keycloak.provider.Spi
  • org.keycloak.services.managers.BruteForceProtectorFactory

And on the end we need to specify default Protector SPI: (standalone-ha.xml)

<spi name="bruteForceProtector">
<default-provider>custom-brute-force-detector</default-provider>
<provider name="custom-brute-force-detector" enabled="true"></provider>
</spi>

Then under the Server Info / Providers you are be able to see just your brute force protector: enter image description here

  • Related