libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Adding upgrading notes for brute force changes

Browse source 
Closes #31960

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2024-08-07 10:49:53 +02:00 committed by Marek Posolda
parent f3341390f4
commit acbbfde4ab
3 changed files with 29 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
docs/documentation/upgrading/topics/changes/changes-25_0_3.adoc Normal file
View file

@ -0,0 +1,10 @@
= Concurrent login requests are blocked by default when brute force is enabled
If an attacker launched many login attempts in parallel then the attacker could have more guesses at a password than the brute force protection configuration permits. This was due to the brute force check occurring before the brute force protector has locked the user. To prevent this race the Brute Force Protector now rejects all login attempts that occur while another login is in progress in the same server.
If, for whatever reason, the new feature wants to be disabled there is a startup factory option:
[source,bash]
----
bin/kc.[sh|bat] start --spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true
----

4
docs/documentation/upgrading/topics/changes/changes.adoc
View file

@ -5,6 +5,10 @@
include::changes-26_0_0.adoc[leveloffset=3] include::changes-26_0_0.adoc[leveloffset=3]
=== Migrating to 25.0.3
include::changes-25_0_3.adoc[leveloffset=3]
=== Migrating to 25.0.2 === Migrating to 25.0.2
include::changes-25_0_2.adoc[leveloffset=3] include::changes-25_0_2.adoc[leveloffset=3]

15
services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java
View file

@ -17,9 +17,12 @@
package org.keycloak.services.managers; package org.keycloak.services.managers;
import java.util.List;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -55,4 +58,16 @@ public class DefaultBruteForceProtectorFactory implements BruteForceProtectorFac
public String getId() { public String getId() {
return "default-brute-force-detector"; return "default-brute-force-detector";
} }
@Override
public List<ProviderConfigProperty> getConfigMetadata() {
return ProviderConfigurationBuilder.create()
.property()
.name("allowConcurrentRequests")
.type("boolean")
.helpText("If concurrent logins are allowed by the brute force protection.")
.defaultValue(false)
.add()
.build();
}
} }