Allow custom message for brute force detection temporary lockout

[Nogginboink]

Description

The docs clearly state that when brute force detection temporarily locks out an account, the user will receive an 'invalid username or password' message to prevent leaking information to an attacker.

I would like to return a custom message, such as 'your account has been temporarily locked out due to too many failed logon attempts. Please try again in 15 minutes.'

Discussion

No response

Motivation

While the current behavior is certainly more secure than my proposed enhancement, not all use cases are best served by the default behavior. Consumers, in particular, may need a little more handholding by the system than the current behavior allows. Keycloak should allow the application owner to make the tradeoff between security and usability according to the specific use case. In some cases, weakening security to enhance usability is a valid business decision.

Details

No response

[Nogginboink]

I just noticed that this issue list is for documentation issues. My apologies.