stackoom
  简体   繁体   中英

Keycloak custom brute force detection

 原文  2022-06-27 12:39:58       authentication/ keycloak/ brute-force

Question

I am trying to figure out it is possible to create custom brute force detection in Keycloak? Logic that they have doesn't match requirements so I have to extend or create my own provider. For example what I need is after X failed login attempts, user should be blocked X minutes. After user get unlocked and again failed I want to specify Y time. In Keycloak currently it going to be the same X value for that user because they have some algorithm to calculate wait time: wait time * (countOfFailures / maxFailures) The division is an integer division rounded down to a whole number

and if i set 10 min max first 5 fails will be 10min fail, then on six one will be 20min.

2 answers

solution1
 0  2022-06-28 05:27:48

Keycloak has an SPI named org.keycloak.services.managers.BruteForceProtectorSpi that you can implement but it's in the server-spi-private module which means it supposed to be used only by the Keycloak itself and not for being extended. I have never tried to implement an SPI of that module. It may not work at all or even if you manage to make it work, the interface and the way it's used may change in future versions without any notice.

EDIT:

Remember if you're overwriting such a service provider (that Keycloak expect to have only one instance of it active at a time), you should define it in the WildFly configuration under keycloak subsystem (I don't know how to do it in the recent Quarkus versions, but you get the idea) and then set it as default provider. Here is what I did when I wanted to add a custom LocaleSelector provider:

<spi name="localeSelector">
    <default-provider>custom-locale-selector</default-provider>
    <provider name="customer-locale-selector" enabled="true">
        <properties>
            <property name="prop1" value="value1"/>
        </properties>
    </provider>
</spi>

solution2
 0  2022-06-29 09:54:11

SOLUTION

I just created these classes:

  • CustomBruteForceProtector
  • CustomBruteForceProtectorFactory
  • CustomBruteForceProtectorSpi

Then specify them in: META-INF/services

  • org.keycloak.provider.Spi
  • org.keycloak.services.managers.BruteForceProtectorFactory

And on the end we need to specify default Protector SPI: (standalone-ha.xml)

<spi name="bruteForceProtector">
<default-provider>custom-brute-force-detector</default-provider>
<provider name="custom-brute-force-detector" enabled="true"></provider>
</spi>

Then under the Server Info / Providers you are be able to see just your brute force protector: 在此处输入图像描述

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Brute Force Security - Time of login Brute Force Login Prevention With Iptables Brute force counter measures not effective? Varnish caching and brute force failed logins not detected What is the best Distributed Brute Force countermeasure? Keycloak | How to add custom keycloak password policies? Why can't sleep(3) before login check prevent brute force? Authentication Token for mobile app, is there a offline brute force vulnerability? How do you prevent brute force attacks on RESTful data services How long to brute force 16 character secret key
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM