[keycloak-dev] Cleanup of 'Change password' screen in Account app

Vlastimil Elias velias at redhat.com
Fri Nov 27 06:16:32 EST 2015 

Hi,

On 27.11.2015 11:45, Stian Thorgersen wrote:
>
>
> On 27 November 2015 at 10:23, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Hi,
>
>     I have two proposals for cleanup of 'Change password' screen in
>     Account
>     app based on my experience with it:
>
>     1. remove Cancel button - it has no any meaning on this
>     screen/form, it
>     only reshowns form with empty fields. And also there is a bug,
>     "Password" field is hidden when it is used, which makes whole form
>     unusable.
>
>
> +1

OK, I'm going to create JIRA and provide PR for this.

>  
>
>
>     2. remove validation of current password (remove "Password"
>     field). Two
>     reasons for this:
>        - security impact of this check is small. If attacker is able to
>     compromise Account app then he can always change email and then use
>     "Forgot password" feature to change password
>        - user created over Identity Provider do not know old password
>     (because it is not set) so he is not able to set password using
>     this screen
>     After we implement support for reauthentication (KEYCLOAK-2076)
>     then we
>     should set some reasonable reauth timeout for Account app instead,
>     this
>     will make it more secure at all.
>
>
> -1 Reset password over email may not be enabled at all. We already
> allow setting password for IdPs login without requiring the existing
> password.
Fair enough
>
> +1 To suggestion from Thomas - we should ask for password when
> updating email at least when recover password over email is enabled.

Makes sense, but what to do if user has no password set at this point?
Don't ask him, or reauthenticate him by other available mechanism?

And there are also other "dangerous" operations in Account app. Eg.
attacker who gains access to it can disable OTP without any recheck.
This should be protected too.
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow specifically in
the app, or resolve this generally as part of KEYCLOAK-2076.

Vlastimil

>
> It seems to be common practice to ask for current password when
> updating the existing password.
>  
>
>
>     If you agree then I can create JIRA issue for this and provide PR.
>
>     Vlastimil
>
>     --
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/64748b85/attachment.html

More information about the keycloak-dev mailing list