Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentica 7155 tion
Describe the bug
When configuring and enabling "Brute Force Detection" within the authentication settings of any realm, it is possible to enter negative values for fields such as Max Login Failures and Max Wait. These negative values are then stored as-is in the Keycloak database. However, from a logical standpoint, such negative values are invalid and should not be allowed.
The proper solution would be to validate these values within the realm adapter’s setters before they are assigned, ensuring that invalid (negative) inputs are rejected early on.
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
I expect that providing a negative value should trigger an exception, indicating that the value is invalid and not acceptable.
Actual behavior
Currently, negative values entered in the mentioned fields are stored, but they behave the same way as if the value were set to 1.
How to Reproduce?
Navigate to your desired realm, go to the Authentication section, then select Security Defenses and choose Brute Force Detection.
Anything else?
No response