ForgeRock Identity Platform
Does not apply to Identity Cloud

Account lockout fails when an authentication chain contains a custom module in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if user accounts are not locked in accordance with the account lockout settings in AM when you have an authentication chain that contains one or more custom modules.


User account is not locked after a repeated number of failed login attempts.

The following message is shown when the user subsequently attempts to log in with invalid credentials.

{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed" }

Expected messages

When account lockout is working in an authentication chain, you would expect to see the following message after x number of failed logins:

{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed Warning: You will be locked out after 1 more failure(s)." }

And then the following message after another attempt:

{ "code": 401, "reason": "Unauthorized", "message": "Your account has been locked." }

Recent Changes

Added a custom authentication module to the chain.


The account lockout functionality works based on invalid password exceptions rather than invalid login exceptions. This means all login modules must throw an InvalidPasswordException instead of an AuthLoginException to trigger account lockout.


This issue can be resolved by updating your custom authentication modules to throw an InvalidPasswordException. For example, by changing:

throw new AuthLoginException(<parameters>);


throw new InvalidPasswordException(<parameters>);

See Also

How do I enable account lockout in AM (All versions)?

How do I unlock a user's account using the REST API in AM (All versions)?

How do I lock a user's account if they do not authenticate to AM (All versions) within a specific period of time?

Sample authentication logic

Configure account lockout

Core authentication attributes

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.