lockout user after invalid login attempts

[frankbe]

Is your feature request related to a problem? Please describe.
I recently replaced a form based login in a legacy java web application. The new solution is based on OIDC with dex as OpenID Connect provider and Azure AD as backend identity provider. Everything finally works like a charm, but now there is one security feature missing, because I still haven't found a possible replacement for it. Before, when a user made five invalid login attempts, his remote address was stored into a database and he was blocked for one hour. That was a (somehow rudimentary) protection against brute force attacs. The old solution now doesn't work anymore, because now all invalid login attempts are catched outside the application. I could not find something like that for dex, neither in the examples nor in the docs.

Describe the solution you'd like to see
It would be nice to see a feature like that for dex. The remote address (or the username) could probably be stored in the database of dex and controlled with a configuration option, where one can also define the duration of the locking.

Describe alternatives you've considered
I was thinking to lock the user in the backend (active directory) but I also could't find a solution for that. The active directory cannot recognize a invalid login because the login to the AD is established with a service account (with bindDN and bindPW) and not with the user credentials.

Additional context
If there is another approach to protect against brute force attacs, I'd love to here about it.