Properly End Browser Authentication Flow

[Cornelia Lahnsteiner]

Hi everyone,

we write our own executions in Keycloak that we use in the browser authentication flow. We have some functionality where we want to show an error message to the user and cancel the entire authentication flow. For this we use context.failure(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR).addError("messageToShowToUser"). This works completely fine. 

However, we have also enabled brute force detection with permanent lockout and a maximum of 10 login errors. 

When we call the context.failure, this also triggers the brute force detection and decrements the login attempts. In worst case, this would permanently lock out the user.

Is there any way to properly abord the browser flow without decrementing the login attempts and displaying an error message to the user?

Use case for this: The user has no credits left to perform a particular function. If there are no credits left, we currently call context.failure. This should not lower the number of login attempts (what we don't want). However, if a user enters a wrong password, login attempts should be reduced (current behavior of Keycloak, which we want to keep).

Thanks,

Cornelia 

[Till Markus (IOB/PAU1)]

Why not just remove the role/permission which is granting this function and then succeed the flow. This will grant the user a token which is not capable to access the function which the application than could inform the user about.

 

As the user is also from the application point of view able to login but not use the function I would say this is a cleaner approach.  Also he might have still budget for other functions so this will also scale for this.

 

So TLDR

• Check the budget for the function before authentication is done and remove the function roles before the token is exchanged/authentication flow succeeded

 

Mit freundlichen Grüßen / Best regards

Markus Till

Project Delivery Berlin 22 (IOB/PAU1)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Tel. +49 30 726112-354 | Mobil +49 172 5782078 | Telefax +49 30 726112-100 | Marku...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Andreas Nauerz, Yvonne Reckling

​

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4511729e-df4f-480c-a8a4-86e9eeb4bb9fn%40googlegroups.com.

[lokesh ravichandhu]

Hi Cornelia,

How about using custom required actions, where it will check for the customer user credits , in case it has it will continue the login else u can show the error message to browser.

Thanks,

Lokesh 

Thanks,

Lokesh Ravichandru

CTO | DPO

https://www.grootan.com

https://www.qlikverify.com

Mobile: +91 9789024698

Skype | Email: Lokesh.ra...@grootan.com

 

--

[Cornelia Lahnsteiner]

Hi everyone,

thank you all for your great feedback. 

@Markus: We need a user context to check the budget. Therefore, we cannot check the budget before authentication. Also, the application that consumes the access token, does not have a frontend, where we can display an error message. Keycloak and its authentication is the last point, where we can show an error message to the user.. Not really pretty, but a requirement in our case.

@Lokesh: We will evaluate your approach. 

@Thomas: We will evaluate your approaches as well. If we implement our own BruteForceProtector, we need to check if the behavior has changed in another update, which means maintenance effort. We would also have to differentiate somehow in our  BruteForceProtector, which errors count as brute force and which do not.

And yes, it would be great to have an API for that.

Thanks,

Cornelia

Am Do., 4. Aug. 2022 um 09:21 Uhr schrieb Thomas Darimont <thomas....@googlemail.com>:

Hello Cornelia et al.,

I see two additional options here you could try:

1) Instead of letting the auth flow fail, you could simply restart the flow (with a message) and let the new auth session timeout.

2) You could implement you own BruteForceProtector which does not count such failures: https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensions/src/main/java/com/github/thomasdarimont/keycloak/custom/security/bruteforce/AcmeBruteForceProtector.java

However it would be great to have an API that would allow to fail / abort an authentication flow without counting towards the bruteforce limit.

@Lokesh Regarding the Required Action:

This would probably work, but then the user would in fact have a working authentication session that might enable the user to access other clients or functionality if not locked down thoroughly.

@Markus:

Regarding "Check the budget for the function before authentication is done"

How do you check whether a user has sufficient funds before you authenticate the user? I think what would work is to check for funds before / during (as part of) the authorization, either on the Keycloak side, in a middleware / gateway or the app.

Cheers,

Thomas

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAGT0TQ13tTqsqp4hQ7KH1ipRz%2BK5jV69ryMGL3t2YW7CVWruRQ%40mail.gmail.com.

[lokesh ravichandhu]

Sounds good.