Extend brute force protection to the password change API endpoint

[michaeloreillyintel]

Before reporting an issue

• [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/api

Describe the bug

An attacker can run a dictionary attack on the password change endpoint and will not be rate limited or have any sort of wait times applied in the wait that Brute force detection applies to login attempts.

Version

25.0.0

Regression

• [ ] The issue is a regression

Expected behavior

A user is able to hit the password change endpoint repeatedly until they find the the oldPassword and specify an new password.

Actual behavior

The end point should be locked out after a number of failed attempts similar to the login Brute force protection

How to Reproduce?

Using a tool such as POSTMan or crafted in Python, you can repeatedly POST oldPassword values to /realms/master/account/password with a known new password. By parsing responses, you will know when the password was changed successfully.

Anything else?

No response

[rmartinc]

Hi @michaeloreillyintel!

The account endpoint for the password /realms/master/account/password was removed long ago when moving to account v2. I think it was this issue https://github.com/keycloak/keycloak/issues/9864 which is added for keycloak 22. So right now in version 25 that endpoint does not exist and the the new account v3 uses AIA (Application Initiated Action) to change the password, which goes to the same login process and the brute force is there if enabled. Am I missing something?

[keycloak-github-bot[bot]]

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.

[keycloak-github-bot[bot]]

Due to lack of updates in the last 14 days this issue will be automatically closed.