Hi all. Our web app uses KeyCloak 26.3.2 and we run smoke tests against the app. These smoke tests use the same user each time via a GitHub action. Sometimes the user gets Disabled but I don’t understand why.
In the user events list I see successful logins and then logouts which align with test runs. Then, sometimes, on the next log in it fails with an error “user_disabled” I can’t see an event in the logs that shows when or why the user was set to be disabled. We have to flip the toggle to re-enable the user.
I wonder if it is anything to do with brute force detection despite the user logging in ok normally (no events saying incorrect password or quick fire token refreshes):
These are the settings:
Mode: Lockout permanently, Max failures: 5 Quick check ms: 1000 Minimum wait: 1 min
I’ve been round the houses with Claude and I’m not getting very far, hoping I can get some help from a real live expert! 
Any suggestions or guidance would be appreciated 
Thanks,
Andy