Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidate authentication session on repeated Recovery Code failures #26180

Closed
1 task done
Tracked by #25914
douglaspalmer opened this issue Jan 13, 2024 · 0 comments · Fixed by #26184
Closed
1 task done
Tracked by #25914

Invalidate authentication session on repeated Recovery Code failures #26180

douglaspalmer opened this issue Jan 13, 2024 · 0 comments · Fixed by #26184
Assignees
@douglaspalmer
Labels
area/authentication Indicates an issue on Authentication area kind/bug Categorizes a PR related to a bug release/24.0.0
Milestone
24.0.0

Comments

@douglaspalmer
Copy link
Contributor

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

At present, when a user is locked out by brute force protection the authentication session isn't invalidated. As a result when a temporary lockout expires an attacker can continue trying to guess the Recovery Code without reauthenticating. We should terminate the authentication session when the user is locked out by brute force.

Version

999.0.0-SNAPSHOT

Expected behavior

When the user is locked out by brute force protection the auth session should end and the browser should be redirected to the login page.

Actual behavior

When the user is locked out by brute force protection the auth session remains valid and the user can continue guessing recovery codes.

How to Reproduce?

Configure recovery codes and enable brute force protection. Guess the recovery code enough times to get a temporary lockout of the user. Wait for the lockout to timeout and continue guessing recovery codes without reauthenticating.

Anything else?

No response
@douglaspalmer douglaspalmer added kind/bug Categorizes a PR related to a bug status/triage team/core labels Jan 13, 2024
@douglaspalmer douglaspalmer self-assigned this Jan 13, 2024
@ghost ghost added the area/authentication Indicates an issue on Authentication area label Jan 13, 2024
@douglaspalmer douglaspalmer added this to the 24.0.0 milestone Jan 13, 2024
douglaspalmer added a commit to douglaspalmer/keycloak that referenced this issue Jan 13, 2024
@douglaspalmer
Invalidate authentication session on repeated Recovery Code failures
d028c74 
Closes keycloak#26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
This was referenced Jan 13, 2024
Open
Merged
douglaspalmer added a commit to douglaspalmer/keycloak that referenced this issue Jan 19, 2024
@douglaspalmer
Invalidate authentication session on repeated Recovery Code failures
d3abdd6 
Closes keycloak#26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
ahus1 pushed a commit that referenced this issue Jan 22, 2024
@douglaspalmer @ahus1
Invalidate authentication session on repeated Recovery Code failures
ffa069a 
Closes #26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
ShefeeqPM pushed a commit to ShefeeqPM/keycloak that referenced this issue Jan 27, 2024
@douglaspalmer @ShefeeqPM
Invalidate authentication session on repeated Recovery Code failures
91001d4 
Closes keycloak#26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
ahus1 pushed a commit to ahus1/keycloak that referenced this issue Mar 22, 2024
@douglaspalmer @ahus1
Invalidate authentication session on repeated Recovery Code failures
95e0e94 
Closes keycloak#26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@douglaspalmer douglaspalmer

Labels
area/authentication Indicates an issue on Authentication area kind/bug Categorizes a PR related to a bug release/24.0.0
Projects
None yet
Milestone
24.0.0
Development

Successfully merging a pull request may close this issue.

Invalidate authentication session on repeated Recovery Code failures douglaspalmer/keycloak
1 participant
@douglaspalmer