You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an administrator I want to have a user locked if I have set a lockout settings, if the failed attempts are reached.
Acceptance Criteria
If I have set lockout settings password attempts to 3, user should be locked after 3 failed password attempts (also works with otp attempts)
If I enter a wrong password on two different browsers (e.g mobile phone, mac), the user should be locked after 3 failed attempts in total (also works with otp attempts)
If lockout setting is set to 0 attempts, the user should not be locked at all
If I read the user after failed attempts, the user has the state locked
I am not able to create a session for a locked user
The text was updated successfully, but these errors were encountered:
# Which Problems Are Solved
The session API was designed to be flexible enough for multiple use
cases / login scenarios, where the login could respect the login policy
or not. The session API itself does not have a corresponding policy and
would not check for a required MFA or alike. It therefore also did not
yet respect the lockout policy and would leave it to the login UI to
handle that.
Since the lockout policy is related to the user and not the login
itself, we decided to handle the lockout also on calls of the session
API.
# How the Problems Are Solved
If a lockout policy is set for either password or (T)OTP checks, the
corresponding check on the session API be run against the lockout check.
This means that any failed check, regardless if occurred in the session
API or the current hosted login will be counted against the maximum
allowed checks of that authentication mechanism. TOTP, OTP SMS and OTP
Email are each treated as a separate mechanism.
For implementation:
- The existing lockout check functions were refactored to be usable for
session API calls.
- `SessionCommand` type now returns not only an error, but also
`[]eventstore.Command`
- these will be executed in case of an error
# Additional Changes
None.
# Additional Context
Closes#7967
---------
Co-authored-by: Elio Bischof <elio@zitadel.com>
As an administrator I want to have a user locked if I have set a lockout settings, if the failed attempts are reached.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: