Logins_Count and Last_Login Updated After Failed Login Attempt

Problem statement

There is a log entry indicating that a user had a failed login attempt with type:“f” and “access_denied” error messaging, however, the user’s login_count was incremented and their last_login was updated at the time of the failed login.


This is expected behavior if the login was prevented by a Post-Login Action or a Rule . Rules and Post-Login Actions are triggered when a user successfully authenticates, but before the entire login flow is done. The tenant log corresponding to a login flow will not be triggered until the entire login flow is completed, either by a response being returned to the callback URL or by an error being thrown.

For example, if a Post-Login Action blocks a login using api.deny.access(“Denied!”) this is the sequence of what is occurring:

  1. The user initiates a login using the connection of their choice.
  2. The user successfully authenticates. At this point no log event is recorded, although last_login and logins_count is updated.
  3. Since the user successfully authenticated, Rules and Post-Login Actions are executed.
  4. The Post-Login Action described above is triggered and blocks the user, returning an error.
  5. Now that the entire flow has completed, a log event is recorded. In this case, it will be a type:f with description:Denied!

Related References