keycloak/keycloak

In some instances 'lastFailure' is missing from user brute force status

Open

#46636 opened on Feb 26, 2026

View on GitHub
 (1 comment) (1 reaction) (1 assignee)Java (34,398 stars) (8,346 forks)batch import
area/authenticationhelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-clients

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Troublesome code:

DefaultBruteForceProtector#failure

    long last = userLoginFailure.getLastFailure();
    long deltaTime = 0;
    if (last > 0) {
        deltaTime = failureTime - last;
    }
    userLoginFailure.setLastFailure(failureTime);

    if (!(realm.isPermanentLockout() && realm.getMaxTemporaryLockouts() == 0) && deltaTime > 0) {
        // if last failure was more than MAX_DELTA clear failures
        if (deltaTime > (long) realm.getMaxDeltaTimeSeconds() * 1000L) {
            userLoginFailure.clearFailures();
        }
    }
    userLoginFailure.incrementFailures();
    logger.debugv("new num failures: {0}", userLoginFailure.getNumFailures());

This sets last failure time to T2 and further clears it in userLoginFailure.incrementFailures()

This causes that for n = 1, lastFailure is null and lastFailure is not displayed in api as it is null for this case.

Version

26.3.2

Regression

  • The issue is a regression

Expected behavior

brute force status features following attributes:

locked: false
failureCount
lastFailure

Actual behavior

brute force status features following attributes:

locked: false
failureCount

lastFailure is missing

How to Reproduce?

Preconditions: A user in blockes status exists in the system.

Steps:

  1. Check brute force status of user from preconditions to verify their status,
  2. Log in using user from preconditions by providing the proper login and password
  3. Remove the brute force status from the user from preconditions
  4. Repeat step 1

Anything else?

No response

Contributor guide

Tech stack
java
Domain
authenticationbackendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaBasic understanding of authentication flow
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Examine DefaultBruteForceProtector.java, specifically the failure() method. The bug occurs when lastFailure is set after deltaTime calculation but before incrementFailures() clears failures, causing lastFailure to be null for the first failure. Investigate the logic in incrementFailures() and how UserLoginFailure exposes lastFailure via the API. Consider adjusting the order of operations to ensure lastFailure is set before any clearing. Look at the UserLoginFailure model and its API serialization to confirm how null lastFailure is omitted. No existing PRs are linked, so a fix would involve modifying DefaultBruteForceProtector.java and adding tests for the scenario described.