[keycloak-dev] credential management

Bill Burke bburke at redhat.com
Tue Aug 13 08:12:52 EDT 2013 


On 8/13/2013 7:36 AM, Stian Thorgersen wrote:
> I like the idea of never allowing admins to see passwords. Temporary passwords are not very nice. It would require to have always have a verified means to communicate with the user though (email, SMS, others?).
>

How can you implement forgot credentials then without a verified means 
to communicate with the user?  (email, sms, *AND* voice).

I wonder how admins feel about the "Security Questions" (i.e. mother's 
maiden name) Then there would be no need to send an email.

> We should also have an option on the realm that self-registered users are required to confirm their email address (send email with verification link).
>

Lol, this will be one long-ass oauth redirection protocol and client_id, 
state, redirect_uri etc... parameters are gonna be passed around over 
and over....

> Thinking about security issues, at the moment the login form shows a error message that says username is invalid. This allows attackers to confirm the existence of user accounts which is not good. It should simple state "invalid username/password".
>

K, logged a JIRA:

https://issues.jboss.org/browse/KEYCLOAK-31

> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 12 August, 2013 10:12:31 PM
>> Subject: [keycloak-dev] credential management
>>
>> Registration
>> * new password and password confirmation
>> * TOTP secret and QR generation and confirmation.
>>
>> Forgot password
>> * Email sent to user with URL enclosed
>> * If required by realm, ask one or more random questions i.e.:
>> - What is your mother's maiden name?
>> - What is the last 4 digits of your social security number?
>> - What is the  name of your first pet?
>> - When did you lose your virginity?
>> - What is your birthday?
>> * User enters new password and confirmation
>>
>> Change Password:
>> * Old Password
>> * New Password
>> * Confirm new Password
>>
>> Lost Authenticator
>> * Admin must create a temporary token and speak it to user
>> * User can log in with this temporary token and head to their account
>> management page.  TOken expires after a certain amount of time.
>> or
>> * Ask one or more random questions as in Forgot password
>>
>> Admin user creation:
>> * Email with a link is sent to user.  Link prompts user for credential
>> set up.
>> * Or. Generate a temporary password that must reset by user on next
>> login.  Temporary password is spoken to user or given to them by some
>> other means.
>>
>>
>> When a user logs in keycloak must check to see if
>> * A temporary password was created and the user must enter a new one
>> * Registration is incomplete and new credentials must be set up, i.e. an
>> authenticator.
>>
>> Are there any security holes here?  ONe idea I have is that the admin
>> would never ever see a credential.  For user creation, a temporary
>> password is emailed to the user and never seen by the admin or the user
>> would have to register.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list