[FEATURE-1570] User lockout feature

We’re running Ignition 8.0.6. Users login to our Perspective projects through the built-in ID provider referencing back to a manual-mode user DB.

One of our employees couldn’t login. He then asked an admin to reset his password, who did, but he was still unable to login.

I came by 20+ minutes later and reset the password and he was able to login just fine.

Looking back through the server log, I see lines like this around the time of his original login and the attempts just after the admin reset it:

INFO   | jvm 1    | 2019/12/03 17:28:00 | I [U.DB_ManualMode               ] [17:28:00]: User 'xxx' is now locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:31:53 | I [U.DB_ManualMode               ] [17:31:53]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:33:08 | I [U.DB_ManualMode               ] [17:33:08]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:34:11 | I [U.DB_ManualMode               ] [17:34:11]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id

I found the lockout settings on the user DB page, and assume that must be what was going on. I’ve searched the manual and forums for more details on the lockout feature, but I’m not finding anything.

Is there anything an admin could have done to reset the lockout period and allow him to login sooner?

Hi @justin.brzozoski -

The only way to immediately clear the lockout is to disable lockout on a user source profile and save. You can then immediately re-enable the lockout and save (if you wish to keep it enabled). This clears all current lockouts for all users for the user source profile.

1 Like

There should be an entry in the audit log for a user lockout event. As of 8.1.0 there isn’t.

I added a ticket for auditing the moment a user becomes locked out.

1 Like

There is no feedback to the user that login failures are due to a locked account. This is a poor UX. Can we add another feature to the backlog to fix that?

This is security, which I’ll grant you can be interpreted as poor UX. Leaking information about why a login attempt fails is bad practice.


Is this still the only way to disable a lockout for a single user - to make the disable lockout for the entire user source and then re-enable? Or is there a way to do it on an individual basis now? Not a big deal just curious.

This is still the only way. We do have an internal ticket tracking an effort to add a user interface to view currently locked out users and unlock them on a more fine-grained basis (IGN-5298), but it has yet to be spec’d and designed, so it will probably be a while until it is fully implemented…

  • An interface in the gateway webpage is a minimum for this FR, Currently I need to guess why login fails…
  • A system tag pr user would be wonderful
  • A system.security.getLockStatus(user) would be second best
    (both would allow me to present relevant info in a admin dashboard)
  • lockUser(user), unlockUser(user) would be nice-to-have features
1 Like

FWIW in the gateway logs it will tell you when a user get’s locked out and what IP address the sign-in attempts came from - this helped me realize it was just from my employee’s computer and not some outside source and so nothing to be too worried about.

I agree with your other points though. A way to lock or unlock a single user instead of the user-source wholesale is definitely the right way to do this sort of thing. I imagine a case where one user is legitimately locked out due to an outside IP address trying to brute force a password, and another user just accidentally messed up a few times. I wouldn’t want to unlock the first user, but would want to unlock the second user.


@jspecht any update on this ticket? From what I can see, unlocking is still only done by making a change to user source.

1 Like

It's not 100% clear in the documentation: how long until a lockout automatically resets on it's own (w/o having to edit the user source)?

I don't think it ever automatically resets.