[keycloak-dev] refactored admin reset email and required actions

Stian Thorgersen stian at redhat.com
Mon Aug 31 07:06:15 EDT 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Saturday, 22 August, 2015 3:31:56 AM
> Subject: [keycloak-dev] refactored admin reset email and required actions
> 
> Admin console can send a reset password email to the user.  Originally
> it just executed update password.  I changed this so that it sets an
> Update Password required action on the User.  The email link click runs
> all required actions set for the user, then displays a message that the
> Account has been updated.

The admin console could do either - set a password (and choose if it was temporary or not) as well as send a reset password link

> 
> When I get back, I'm also going to change the admin console behavior and
> look too.  Instead of a "Reset Password Email" button on Credentials
> tab, there will be a button next to the Required Actions selection box
> on user detail, something like "Email Required Actions"  (I need a
> better name).  Clicking on this button will send an email to user

This isn't the correct approach IMO. What we used to have was the ability for an admin to send an email to a user to allow the user to recover the password. It wasn't a required action, just something the user could do if they needed to. I think how it worked before was much clearer to end users, also credentials tab is the correct place for "recovering password".

> 
> "Your adminstrator has requested that you update and/or reset some of
> your account settings.  Please click the link below to perform these
> actions."
> 
> We do it this way because there may be multiple credentials the admin
> wants the user to reset.  These credentials may be custom authenticators.
> 
> Also I refactored the CONFIG_TOTP, UPDATE_PROFILE, and UPDATE_PASSWORD
> required actions.  They are now fully encapsulated under the required
> actions SPI and are not hardcoded with any special cases.  I still need
> to refactor verify email.  Ran out of time.
> 
> Finally, I need to add a check to user-initiated Reset Credentials.  I
> haven't put back in the cookie check to make sure not to log in the user
> if its not the same browser.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list