Rate Limiting

Per-IP and per-client rate limiting with brute force detection.

Requirements Coverage

REQ-SEC-001

Detect brute force login attempts

REQ-HEALTH-001

HTTP health check endpoint on separate port

Test Examples

RATE-001BLOCKED

Per-IP rate limit exceeded

Sample Request

# After exceeding KC_RATE_LIMIT_RPS (default 10) requests/second from same IP
curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/token'

Expected Response

{"error":"temporarily_unavailable","error_description":"Rate limit exceeded"}