[keycloak-dev] Cleanup of 'Change password' screen in Account app

Stian Thorgersen sthorger at redhat.com
Fri Nov 27 05:47:25 EST 2015 

Please add suggestions to improve account management to
https://issues.jboss.org/browse/KEYCLOAK-1250. We're hoping to completely
rework the account management console as it's not very nice nor user
friendly at the moment.

On 27 November 2015 at 11:46, Stian Thorgersen <sthorger at redhat.com> wrote:

> +1 To setting re-auth after a configurable time for both admin console and
> account mngmt. I still think we should ask for password though.
>
> On 27 November 2015 at 11:45, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>>
>>
>> On 27 November 2015 at 10:23, Vlastimil Elias <velias at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> I have two proposals for cleanup of 'Change password' screen in Account
>>> app based on my experience with it:
>>>
>>> 1. remove Cancel button - it has no any meaning on this screen/form, it
>>> only reshowns form with empty fields. And also there is a bug,
>>> "Password" field is hidden when it is used, which makes whole form
>>> unusable.
>>>
>>
>> +1
>>
>>
>>>
>>> 2. remove validation of current password (remove "Password" field). Two
>>> reasons for this:
>>>    - security impact of this check is small. If attacker is able to
>>> compromise Account app then he can always change email and then use
>>> "Forgot password" feature to change password
>>>    - user created over Identity Provider do not know old password
>>> (because it is not set) so he is not able to set password using this
>>> screen
>>> After we implement support for reauthentication (KEYCLOAK-2076) then we
>>> should set some reasonable reauth timeout for Account app instead, this
>>> will make it more secure at all.
>>>
>>
>> -1 Reset password over email may not be enabled at all. We already allow
>> setting password for IdPs login without requiring the existing password.
>>
>> +1 To suggestion from Thomas - we should ask for password when updating
>> email at least when recover password over email is enabled.
>>
>> It seems to be common practice to ask for current password when updating
>> the existing password.
>>
>>
>>>
>>> If you agree then I can create JIRA issue for this and provide PR.
>>>
>>> Vlastimil
>>>
>>> --
>>> Vlastimil Elias
>>> Principal Software Engineer
>>> Developer Portal Engineering Team
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/d4961045/attachment.html

More information about the keycloak-dev mailing list