How can I show a message if a user is blocked after a brute force detection ?
I'm using keycloak 2.0.0 and I keep having the same error "Invalid username or password."
Thanks
UPDATE : it seems like the issue has already been detected in the version 1.9.2.Final HERE
Yes It's available in the UserRepresentation returned by
http://www.keycloak.org/docs/rest-api/index.html#_get_represenation_of_the_user
You can also check brute force status on
http://www.keycloak.org/docs/rest-api/index.html#_get_status_of_a_username_in_brute_force_detection
Related
I want to create a conditional flow for reseting password: if a user will have some attribute or a role then I don't want the reset password email to be sent. But when I edit keycloak flow conditions I am getting a weird error.
A flow which I've created.
However when I want to edit the condition and click on the options button there I am getting such a message:
Cannot convert undefined or null to object
The same is for other conditions.
In the keyckloak logs I don't see any errors.
I am using dockerized keyckloak 19
Maybe someone knows some other way how to disable resetting password only for particular users.
Thank you
I use keycloak to reset a user's password through a custom flow.
The flow works for resetting the password and logging/auditing error events.
But the context.success() doesn't log events in EVENT_ENTITY. I tried changing the event type to try and find the root cause using
context.getEvent().event(EventType.SEND_RESET_PASSWORD_ERROR); // for eg. context.success();
I am not sure what the problem is, or fail to understand what is different from setting a success and error.
I found the issue and it was me missing a call to send the event on success.
on error on context.getEvent().error(..) which call EventBuilder.send() internally. I had to use context.getEvent().sucess() to save the event on success.
I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.
After a user has failed to log in too many times in too short a time; Is there a way to have the Keycloak login screen tell the user that they are temporarily locked, so they can know they have to wait and try again later?
At the moment it continues to tell them their password is wrong, so they will probably keep trying, and may end up being told their correct password is incorrect.
Ideally I'd like to be able to do this with only changes to the login theme, and without making extra API calls.
Yes It's available in the UserRepresentation returned by
GET /{realm}/users/{id}
You can also check brute force status on
GET /{realm}/attack-detection/brute-force/users/{userId}
The latter will only show if it's temporary disabled
You can make it without any extra API calls just use
Admin REST APIs (Get Users and Get Representation Of User)
it returns inconsistent values of attribute enabled after Max Login Failure" attempts exceeded
Description
Different returning values of parameter "enabled" (for given{uid}) between following two admin REST API requests after Max Login Failure" attempts exceeded.
Get representation of the user
GET /admin/realms/{realm}/users/{id} => "enabled":false
Get users
2.1 GET /admin/realms/{realm}/users => "enabled":true
2.2 GET /admin/realms/{realm}/users?search={string} => "enabled":true
Get status of a username in brute force detection =>
GET
/admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
=> ("disabled":true)
Note: GUI Admin console returns user=disabled and locked after Max Login Failure attempts.
Hello I'm creating a bot in telegram. I send a http request:
https://api.telegram.org/bot(mytoken)/setWebhook?url=https://mywebpagetorespondtobot
and I receive this:
{"ok":true,"result":true,"description":"Webhook was set"}
but It doesn't work.I mean telegram doesn't send updates to the server.
Is this because I didn't upload my certificate?how should I do that then?
Check the status of your updates here:
https://api.telegram.org/botYOUR_TOKEN/getWebhookInfo
It will tell you about any errors. Should you not see any problems here the issue is to be found somewhere in your script. Make sure to handle incoming updates correctly.
It might be a problem with self-signed certificate. It needs to be uploaded via setWebhook method first as described here. Or try a more extensive guide here.
It's means what your public key incorrect.
You may check it by url https://api.telegram.org/bot{token}/getWebhookInfo
after setting
When i sent incorrect public key - i receive
{"ok":true,"result":{"url":"","has_custom_certificate":false,"pending_update_count":6}}
but if i sent correct public key, i receive:
{"ok":true,"result":{"url":"mycorrecturl.com","has_custom_certificate":true,"pending_update_count":6,"last_error_date":1506772578,"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}","max_connections":40}}
I changed the setwebhook url to a and it worked.it seems that it doesn't work with a wabepage url.
https://api.telegram.org/bot(mytoken)/setWebhook?url=https://mywebpagetorespondtobot/mymethod ' (the WebMethod)
BotFather -> Bot list -> API Token -> Revoke current token
https://api.telegram.org/bot(New token)/setWebhook?url=https://myweb...
Done)