[keycloak-dev] Issues with the first login flow

Gabriel Cardoso gcardoso at redhat.com
Tue May 20 11:33:37 EDT 2014 

> From the technical point of view I don't like the idea of adding a special case that lets you set the admin password. Not just because of the additional work, but also as it adds a possible security hole. There are also situations where someone may set a more secure admin password on an initial installation prior to handing over to an admin, in which case there will be a password set, but the admin will be required to set the password. What we have covers both those use cases, as well as the use cases for when a password is required to be changed (suspected attack, expired password, etc).
> 
> On the other side, with regards to usability, I believe any user or admin of Keycloak are likely to experience the "update password" page, and may so several times while using Keycloak. This page will be displayed after the user has logged in with username/password (and optionally totp). I agree that this can be confusing, especially as it has the exact same layout as the login screen and only text changes. If we can find a solution to making this page more obvious to users that would also sufficiently solve the first login case in my opinion.

Ok, we can keep the current flow :)

> By the way the last attachment doesn't work as the screen should be displayed after the user has logged in, and hence not require the user to enter a username.

So, when the user is asked to update his password, is he already logged in? It doesn't feel like that at all. The feeling is that you need to update the password to log in. To update the password is mandatory at that point, isn’t it? I mean, without doing so, the user cannot “explore” the console, right?

Regarding my screen, if the matter is the text “To have access to the console…”, we can easily change it. Maybe it is hard to recognise that, but the “username” field is already fulfilled with admin, which is a disabled field. So the autofocus would be in “New password” and the user wouldn’t need to enter the username.

Despite your punctual appointments, don’t you think a screen like that would improve what we have? I included the text above and the field “username” for this screen to be visible different from the login screen.

Gabriel

---
Gabriel Cardoso
User Experience Designer @ Red Hat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140520/8ef4f532/attachment.html

More information about the keycloak-dev mailing list