How to detect that a user is locked with Admin Rest API ?
1,040 views
Skip to first unread message
Amir Dar
Aug 4, 2022, 9:01:31 AM8/4/22
to Keycloak User
Hi
when a user enters a wrong user name or password we get an error "Unauthorized - Invalid user credentials"
which makes sense.
but in our configuration after 5 attempts the user is locked
when we send another login with bad credentials we still get "Unauthorized - Invalid user credentials", BUT we have no way to know that the user is locked at this point
someone already asked this 5 years ago in this [SOF post](https://stackoverflow.com/questions/41467004/keycloak-indicate-user-is-temporarily-locked)
but I don't get the answer he received.
for example, one option is to send:
GET /{realm}/attack-detection/brute-force/users/{userId}
but I have 2 problems with this approach:
1. I don't have the userId. I have the user name
2. in order to invoke this endpoint I need to be authenticated - which is a paradox since I'm handling with a failed login attempt
is there no other way to understand that a user is locked?
when a user enters a wrong user name or password we get an error "Unauthorized - Invalid user credentials"
which makes sense.
but in our configuration after 5 attempts the user is locked
when we send another login with bad credentials we still get "Unauthorized - Invalid user credentials", BUT we have no way to know that the user is locked at this point
someone already asked this 5 years ago in this [SOF post](https://stackoverflow.com/questions/41467004/keycloak-indicate-user-is-temporarily-locked)
but I don't get the answer he received.
for example, one option is to send:
GET /{realm}/attack-detection/brute-force/users/{userId}
but I have 2 problems with this approach:
1. I don't have the userId. I have the user name
2. in order to invoke this endpoint I need to be authenticated - which is a paradox since I'm handling with a failed login attempt
is there no other way to understand that a user is locked?
Björn Pedersen
Aug 5, 2022, 3:22:04 AM8/5/22
to Keycloak User
You should be accessing this with an admin account from the master realm, not as the affected user. As an admin you should be able to lookup the userid from the usernmae/email.
As the affected user it is an important security feature that the reason why the login does not succeed is not revealed.
Amir Dar
Aug 7, 2022, 3:55:34 AM8/7/22
to Keycloak User
Hi
thanks for the answer. it makes sense to invoke the endpoint as admin of the master realm.
however, I find it pretty odd that in order to understand that a user is blocked we have to send for every failed login an additional 2 request to the API
very inefficient in my opinion
thanks for the answer. it makes sense to invoke the endpoint as admin of the master realm.
however, I find it pretty odd that in order to understand that a user is blocked we have to send for every failed login an additional 2 request to the API
very inefficient in my opinion
Reply all
Reply to author
Forward
0 new messages