[keycloak-dev] Reset password and verify email links are to long
Bill Burke
bburke at redhat.com
Tue Jul 15 11:59:02 EDT 2014
Can you wait to fix this? I have changes everywhere. :)
But, I thought AccessCode could be:
id, session-id, timestamp
UserSession has a Enum login-state (logging-in, logged-in, etc.) and is
associated with AccessCode and stores any information that is needed.
FYI, the token is generated right now so scope doesn't have to be
recalculated. Maybe this isn't really an optimization as signature
generation would take a lot longer :)
If that's what you're saying +1.
On 7/15/2014 11:49 AM, Stian Thorgersen wrote:
> After the token manager was made stateless the full code is sent in emails (reset password and verify email), this is not very nice as it's very long.
>
> Two ideas on how to fix this:
>
> 1. Save the code (user sessions?) and convert back to sending just the code id in the email
> 2. Send the info required to create a code (clientId, scope, state and redirect encoded with the realm key)
> 3. Send a short code that has to be copied/pasted back into the current login form
>
> My thoughts are:
>
> 1. Nice and simple, but requires "storing" the code temporarily. Another thing we could do is to associate it with the session, this would make sure the email can only be clicked by the user that actually initiated it.
> 2. Not so nice as I think it'll still create too long links (especially if redirect and state are big).
> 3. Kinda nice, but changes the way it all works. This may actually be the optimal and more secure way to do it though.
>
> See https://issues.jboss.org/browse/KEYCLOAK-542 for how big the link in the email actually is ;)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list