[keycloak-dev] Re: A disabled user receives a confusing info message, if he tries to reset his password
Michael Gerber
gerbermichi at me.com
Mon Jan 12 07:30:46 EST 2015
Unfortunately, it isn't implemented like that.
Have a look at the authenticateInternal method of the AuthenticationManager class.
AuthenticationStatus.ACCOUNT_DISABLED;
is returned before the validCredentials method is invoked.
Best
Michael
Am 12. Januar 2015 um 12:25 schrieb Stian Thorgersen <stian at redhat.com>:
----- Original Message -----
From: "Michael Gerber" <gerbermichi at me.com>
To: "Stian Thorgersen" <stian at redhat.com>
Cc: keycloak-dev at lists.jboss.org
Sent: Monday, 12 January, 2015 11:20:02 AM
Subject: Re: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password
Thank you, that sounds logical.
I just wondered, because you have a different error message for disabled
users on the login screen.
"Account is disabled, contact admin"
That should only be shown after a user has logged in with valid username/password, if you try to login with an invalid password and disabled user it should show invalid username/password.
Best
Michael
Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian at redhat.com>:
This is intentional. If we provide specific error messages on reset password
it can be used to find out whether or not a username/email is valid. Same
applies to login, instead of saying invalid username it just says invalid
username or password.
As an improvement we could extend the message to say if you haven't received
a message within a certain time, then retry or contact an admin/support.
----- Original Message -----
From: "Michael Gerber" <gerbermichi at me.com>
To: keycloak-dev at lists.jboss.org
Sent: Friday, 9 January, 2015 4:01:49 PM
Subject: [keycloak-dev] A disabled user receives a confusing info message, if
he tries to reset his password
A disabled user receives the following info message, if he tries to reset his
password:
You should receive an email shortly with further instructions.
This is a bit confusing. A message like that would be nicer:
Failed to send email, please contact the administrator.
I will create a PR if that is ok with you?
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150112/77668503/attachment-0001.html
More information about the keycloak-dev
mailing list