[keycloak-dev] Reset Password changes complete needs review
Bill Burke
bburke at redhat.com
Sun Aug 16 17:26:54 EDT 2015
Here's what I did, I can change things based on questions I asked in
other emails, but here's how it works.
There's now the concept of "reset password" and a different one "change
password".
* Reset password is something the user initiates. This will start an
Authentication Flow and success will login the user and bring them to
their application
* Change password is something initiated by an admin. This just sends
an email to the user to reset their password and does not start an
authentcation flow.
Reset Password changes:
* A Temporary Code is included in the Email in addition to a clickable
link.
* When a user requests to be sent an email, they are brought to a new
screen. This screen allows the user to alternatively enter in the code
from the email rather than clicking on a link.
* Temporary codes can only be entered once. If it is entered wrong,
user has to start login process all over again.
* Links can only be clicked once.
* The "Enter code" screen is shown with a success message even if a bad
username or email is entered. This is how it worked before. I'm
guessing this is here to avoid guessing email/usernames?
Change Password changes:
* It is a different email than Reset Password as there is no code
Questions:
* Should we get rid of the "back to login" links and instead have a
"Cancel" button? This applies to registration
* Should "Enter code" screen show a success even if the username/email
was invalid? Do we need to protect hackers from guessing usernames?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list