Keycloak Custom message on user temporary lock

Question

I am using Kyecloak:4.8.0, and have enabled Brute force attack for my realm. Now whenever user provides wrong credentials for 3 times user will be locked temporarily.

But still user will see "Invalid username/password".

According to this thread Keycloak have done this intentionally: https://issues.jboss.org/browse/KEYCLOAK-5284

But still i want to show user that his account has been locked.

Is there any way to customize this message?

I tried doing this by adding message in custom keycloak theme as below:

location: themes\adminlte\login\messages\messages_en.properties

accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.

This change is not working.

Answer 1

After going through Keycloak base code what i found is: Keycloak uses Messages.INVALID_USER (invalidUserMessage) from properties which is written in AbstractFormAuthenticator class.

This class is at the end extended by UsernamePasswordForm now to change this to custom message i Wrote Custom Authenticator (Keycloak SPI) like below

public class CustomUsernameFormAuthenticator extends UsernamePasswordForm {

    @Override
    protected String tempDisabledError() {
        return Messages.ACCOUNT_TEMPORARILY_DISABLED;
    }
}

After this deploy spi Jar in keycloak and enable it in your realm. And we are done :)

Answer 2

This behavior was changed in keycloak/keycloak#2323, with no explanation in the PR description or commit messages. The original Jira ticket (KEYCLOAK-2585) is also long gone.

@Marcel's comment explains that displaying a different error message when the account is locked is a security vulnerability, as it allows an attacker to harvest usernames/email addresses:

If you do this, a smart brute force detection can find all email addresses available in your system by just temporarily locking them. This is why the lock message is intentionally not added

However, I could not find any explanation on why couldn't the different error message be displayed ONLY if the right password is given (by moving the brute force check after the password validation).

After seriously thinking it through, I realized that displaying a different error message even if the right password is given is also a security vulnerability, because an attacker can continue to brute force attack an account after it is temporarily locked, until the different error message is given, indicating the right password has been guessed. This essentially renders the brute force protection useless to a well-crafted brute force script.

I would suggest against changing this behavior.

---

Note also that @Sarang's answer is no longer valid with Keycloak 13+ due to keycloak/keycloak#7976.