Keycloak: Indicate user is temporarily locked

Question

After a user has failed to log in too many times in too short a time; Is there a way to have the Keycloak login screen tell the user that they are temporarily locked, so they can know they have to wait and try again later?

At the moment it continues to tell them their password is wrong, so they will probably keep trying, and may end up being told their correct password is incorrect.

Ideally I'd like to be able to do this with only changes to the login theme, and without making extra API calls.

Answer 1

Yes It's available in the UserRepresentation returned by

GET /{realm}/users/{id}

You can also check brute force status on

GET /{realm}/attack-detection/brute-force/users/{userId}

The latter will only show if it's temporary disabled

You can make it without any extra API calls just use

Admin REST APIs (Get Users and Get Representation Of User)

it returns inconsistent values of attribute enabled after Max Login Failure" attempts exceeded

Description

Different returning values of parameter "enabled" (for given{uid}) between following two admin REST API requests after Max Login Failure" attempts exceeded.

1. Get representation of the user

GET /admin/realms/{realm}/users/{id} => "enabled":false

2. Get users

2.1 GET /admin/realms/{realm}/users => "enabled":true

2.2 GET /admin/realms/{realm}/users?search={string} => "enabled":true

3. Get status of a username in brute force detection =>

GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} => ("disabled":true)

Note: GUI Admin console returns user=disabled and locked after Max Login Failure attempts.