[keycloak-dev] credential management

Stian Thorgersen stian at redhat.com
Tue Aug 13 07:36:01 EDT 2013 

I like the idea of never allowing admins to see passwords. Temporary passwords are not very nice. It would require to have always have a verified means to communicate with the user though (email, SMS, others?).

We should also have an option on the realm that self-registered users are required to confirm their email address (send email with verification link).

Thinking about security issues, at the moment the login form shows a error message that says username is invalid. This allows attackers to confirm the existence of user accounts which is not good. It should simple state "invalid username/password".

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 12 August, 2013 10:12:31 PM
> Subject: [keycloak-dev] credential management
> 
> Registration
> * new password and password confirmation
> * TOTP secret and QR generation and confirmation.
> 
> Forgot password
> * Email sent to user with URL enclosed
> * If required by realm, ask one or more random questions i.e.:
> - What is your mother's maiden name?
> - What is the last 4 digits of your social security number?
> - What is the  name of your first pet?
> - When did you lose your virginity?
> - What is your birthday?
> * User enters new password and confirmation
> 
> Change Password:
> * Old Password
> * New Password
> * Confirm new Password
> 
> Lost Authenticator
> * Admin must create a temporary token and speak it to user
> * User can log in with this temporary token and head to their account
> management page.  TOken expires after a certain amount of time.
> or
> * Ask one or more random questions as in Forgot password
> 
> Admin user creation:
> * Email with a link is sent to user.  Link prompts user for credential
> set up.
> * Or. Generate a temporary password that must reset by user on next
> login.  Temporary password is spoken to user or given to them by some
> other means.
> 
> 
> When a user logs in keycloak must check to see if
> * A temporary password was created and the user must enter a new one
> * Registration is incomplete and new credentials must be set up, i.e. an
> authenticator.
> 
> Are there any security holes here?  ONe idea I have is that the admin
> would never ever see a credential.  For user creation, a temporary
> password is emailed to the user and never seen by the admin or the user
> would have to register.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list