[keycloak-dev] Reset password and verify email links are to long
Stian Thorgersen
stian at redhat.com
Tue Jul 15 11:49:18 EDT 2014
After the token manager was made stateless the full code is sent in emails (reset password and verify email), this is not very nice as it's very long.
Two ideas on how to fix this:
1. Save the code (user sessions?) and convert back to sending just the code id in the email
2. Send the info required to create a code (clientId, scope, state and redirect encoded with the realm key)
3. Send a short code that has to be copied/pasted back into the current login form
My thoughts are:
1. Nice and simple, but requires "storing" the code temporarily. Another thing we could do is to associate it with the session, this would make sure the email can only be clicked by the user that actually initiated it.
2. Not so nice as I think it'll still create too long links (especially if redirect and state are big).
3. Kinda nice, but changes the way it all works. This may actually be the optimal and more secure way to do it though.
See https://issues.jboss.org/browse/KEYCLOAK-542 for how big the link in the email actually is ;)
More information about the keycloak-dev
mailing list