Problem statement
There is a log entry indicating that a user had a failed login attempt with type:“f” and “access_denied” error messaging, however, the user’s login_count was incremented and their last_login was updated at the time of the failed login.
Solution
This is expected behavior if the login was prevented by a Post-Login Action or a Rule . Rules and Post-Login Actions are triggered when a user successfully authenticates, but before the entire login flow is done. The tenant log corresponding to a login flow will not be triggered until the entire login flow is completed, either by a response being returned to the callback URL or by an error being thrown.
For example, if a Post-Login Action blocks a login using api.deny.access(“Denied!”) this is the sequence of what is occurring:
- The user initiates a login using the connection of their choice.
- The user successfully authenticates. At this point no log event is recorded, although last_login and logins_count is updated.
- Since the user successfully authenticated, Rules and Post-Login Actions are executed.
- The Post-Login Action described above is triggered and blocks the user, returning an error.
- Now that the entire flow has completed, a log event is recorded. In this case, it will be a type:f with description:Denied!
Related References