[keycloak-dev] Reset password and verify email links are to long
Marek Posolda
mposolda at redhat.com
Wed Jul 16 06:34:39 EDT 2014
+1 to associate code with the UserSession and remove it once code is
exchanged. This will also help to fix the issue we discussed before,
that now it's possible to exchange same code multiple times, which is
not in line with OAuth2 specs . Created
https://issues.jboss.org/browse/KEYCLOAK-560 and linked with
https://issues.jboss.org/browse/KEYCLOAK-542
Marek
On 16.7.2014 10:58, Stian Thorgersen wrote:
> Are you talking about reducing the size of the code altogether or just for the email links?
>
> I was thinking about just saving the base64 encoded access-code with the user session temporarily, then sending the the access code id (36 char uuid as before) in the email. First time the user clicks on the link the access code would be removed from the session, so this would also make the links a one-time-click thing.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 15 July, 2014 6:14:45 PM
>> Subject: Re: [keycloak-dev] Reset password and verify email links are to long
>>
>>
>>
>> On 7/15/2014 12:34 PM, Stian Thorgersen wrote:
>>>> If that's what you're saying +1.
>>> Are you referring to option 1, storing the required info in the user
>>> session temporarily? Not sure I understand the details about what you're
>>> proposing though.
>>>
>> Yes, option 1. AccessCode should be associated with the user session.
>> Appropriate state needs to be stored in the session as AccessCode
>> currently saves a lot of stuff.
>>
>> Then the code only has to contain:
>>
>> id, session-id, timestamp
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list