[keycloak-dev] Reset Password changes complete needs review
Stian Thorgersen
stian at redhat.com
Tue Aug 18 09:04:24 EDT 2015
Can you elaborate on what the benefits are of these changes? It seems to me that we had something that was working just fine..
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Sunday, 16 August, 2015 11:26:54 PM
> Subject: [keycloak-dev] Reset Password changes complete needs review
>
> Here's what I did, I can change things based on questions I asked in
> other emails, but here's how it works.
>
> There's now the concept of "reset password" and a different one "change
> password".
>
> * Reset password is something the user initiates. This will start an
> Authentication Flow and success will login the user and bring them to
> their application
I assume this is still through email - if so it's important that users are only logged-in if the reset password link is opened in the same user session as they initiated the reset password flow
> * Change password is something initiated by an admin. This just sends
> an email to the user to reset their password and does not start an
> authentcation flow.
I don't understand why there's two different names/concepts here.
>
> Reset Password changes:
> * A Temporary Code is included in the Email in addition to a clickable
> link.
What's the benefit of a temporary code? Is it not easier for a user to just click the link? Having both seems like it could confuse users.
> * When a user requests to be sent an email, they are brought to a new
> screen. This screen allows the user to alternatively enter in the code
> from the email rather than clicking on a link.
> * Temporary codes can only be entered once. If it is entered wrong,
> user has to start login process all over again.
> * Links can only be clicked once.
> * The "Enter code" screen is shown with a success message even if a bad
> username or email is entered. This is how it worked before. I'm
> guessing this is here to avoid guessing email/usernames?
Yes
>
>
> Change Password changes:
> * It is a different email than Reset Password as there is no code
>
>
> Questions:
> * Should we get rid of the "back to login" links and instead have a
> "Cancel" button? This applies to registration
Cancel suggests to me that it would go back to the application. Back to login is more clear that it goes back to the login screen. A user could have clicked the recover password link by mistake.
> * Should "Enter code" screen show a success even if the username/email
> was invalid? Do we need to protect hackers from guessing usernames?
Yes, we should never make it possible to guess/check usernames/emails.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list