Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix: Prevent brute force counter increment on session limit denial #45541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sabeer02 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: Prevent brute force counter increment on session limit denial #45541

sabeer02 wants to merge 1 commit into from
+7 −7

Conversation

@sabeer02
Copy link

@sabeer02 sabeer02 commented Jan 16, 2026

Root Cause

Users with valid credentials were being locked out when hitting session limits because the system treated session denials as authentication failures, incrementing the brute force counter.

Solution

Changed DENY_NEW_SESSION handling from context.failure() to context.forceChallenge()
Updated error event from GENERIC_AUTHENTICATION_ERROR to ACCESS_DENIED
Updated tests to match new error behavior

Impact

Session limit denials no longer increment brute force counters, preventing legitimate users from being locked out due to session limits.

Fixes: #44474

@sabeer02
Fix: Prevent brute force counter increment on session limit denial
210b931 
- Changed from context.failure() to context.forceChallenge() in DENY_NEW_SESSION case
- Updated event error from GENERIC_AUTHENTICATION_ERROR to ACCESS_DENIED
- Updated test to match new ACCESS_DENIED error for session limit denial
- Prevents users with valid credentials from being locked out due to session limits
- Session limit denial is now treated as a policy challenge, not authentication failure

Fixes: keycloak#44474
Signed-off-by: Sabeer Muhaiadeen N <[email protected]>
@sabeer02 sabeer02 requested review from a team as code owners January 16, 2026 16:11
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Jan 16, 2026
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Jan 16, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys

Keycloak CI - WebAuthn IT

java.lang.AssertionError: 

Expected: is <4>
     but: was <0>
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
...

Report flaky test

@sabeer02 sabeer02 mentioned this pull request Jan 17, 2026
Open
@sabeer02
Copy link
Author

sabeer02 commented Jan 17, 2026

Flaky test reported: #45546

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keycloak Maximum Concurrent Session Limit is incorrectly registered as a login failure, triggering Keycloak's Brute Force protection

1 participant

@sabeer02