Calling failureChallenge in case of failure in sending sms to to the user

[mhewedy]

Regarding this line:

https://github.com/dasniko/keycloak-2fa-sms-authenticator/blob/main/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L54C12-L54C28

When calling failureChallenge in case of failure in sending sms to to the user, and if there's an issue in the SMS gateway, the user account will be locked after a number of attempts (without the user fault, it is just a system fault that affects the user)

As the documentation says about failureChallenge: ( https://www.keycloak.org/docs-api/21.0.0/javadocs/org/keycloak/authentication/AbstractAuthenticationFlowContext.html#failureChallenge(org.keycloak.authentication.AuthenticationFlowError,javax.ws.rs.core.Response) )

void failureChallenge​(AuthenticationFlowError error, javax.ws.rs.core.Response challenge)
Same behavior as forceChallenge(), but the error count in brute force attack detection will be incremented. For example, if a user enters in a bad password, the user is directed to try again, but Keycloak will keep track of how many failures have happened.

What do you think about this? should we call another method that sends an error to the user but does not count the attempt in the brute force attach detection?

[dasniko]

You are free to call whichever method you like.
This is just a demo implementation and must be reviewed/adjusted to your requirements before using it in your environment.
See it as an example and guideline, what and how something is possible in general.

[mhewedy]

Thanks for your instant reply.

And yes I agree with you, this is a demo implementation.

I am writing here to ask for your advice. about such a scenario.

[dasniko]

In this special case, when coping mostly with some kind of IOException or some communication error, just calling .failure() would be sufficient.

[mhewedy]

Thanks