[keycloak-dev] Reset Password changes complete needs review

[Bill Burke]

ping.  Didn't hear whether the Temporary Code addition to reset password 
was or about back to login links/"Cancel" button.

On 8/16/2015 5:26 PM, Bill Burke wrote:
> Here's what I did, I can change things based on questions I asked in
> other emails, but here's how it works.
>
> There's now the concept of "reset password" and a different one "change
> password".
>
> * Reset password is something the user initiates.  This will start an
> Authentication Flow and success will login the user and bring them to
> their application
> * Change password is something initiated by an admin.  This just sends
> an email to the user to reset their password and does not start an
> authentcation flow.
>
> Reset Password changes:
> * A Temporary Code is included in the Email in addition to a clickable
> link.
> * When a user requests to be sent an email, they are brought to a new
> screen.  This screen allows the user to alternatively enter in the code
> from the email rather than clicking on a link.
> * Temporary codes can only be entered once.  If it is entered wrong,
> user has to start login process all over again.
> * Links can only be clicked once.
> * The "Enter code" screen is shown with a success message even if a bad
> username or email is entered.  This is how it worked before.  I'm
> guessing this is here to avoid guessing email/usernames?
>
>
> Change Password changes:
> * It is a different email than Reset Password as there is no code
>
>
> Questions:
> * Should we get rid of the "back to login" links and instead have a
> "Cancel" button?  This applies to registration
> * Should "Enter code" screen show a success even if the username/email
> was invalid?  Do we need to protect hackers from guessing usernames?
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com