Notifying user when their account is permanently blocked

[zam...@gmail.com]

Hello

We are using a realm security defenses with Brute force detection that has "Lockout permanently" setting.

Is there any way to enable user getting an email notification when this happens?

Currently when user logs in incorrectly 5x, they will get permanently locked out and from that point onward, system will not even send emails when "Forgot password" flow initiated.

We'd like to know if there is a way to send email to user stating that their account has been permanently locked out and that they can reach out to administrator for help.

 

Alternatively, if this is not possible out of the box, is there a way to notify administrator via email. Perhaps by using email event listener but only for this certain event (although that does not seem to be possible as defined event listeners use all defined even types)?

Thanks...
Z

[Niko Köbler]

You can use and configure the "email" event listener for this.

Just enable it for your desired realm and add this configuration to your server environment to enable only emails in case of permanent lockout:

KC_SPI_EVENTS_LISTENER_EMAIL_INCLUDE_EVENTS: user_disabled_by_permanent_lockout

[zam...@gmail.com]

Thanks Niko

Not sure why I didn't see it, but this is in the docs as well:
https://www.keycloak.org/docs/latest/server_admin/index.html#the-email-event-listener

One just has to reference valid event types which can be found here:
https://www.keycloak.org/server/all-provider-config#option-extended-spi-events-listener--email--include-events

[zam...@gmail.com]

Another observation worth mentioning

While adding email notifier is *per realm*, the include/exclude email event types settings (e.g.  spi-events-listener--email--include-events) is *global*

This means you cannot customize which email listener events to include/exclude per realm...
If someone knows of a workaround please let me know...

Z....