[keycloak-dev] Cleanup of 'Change password' screen in Account app

Stian Thorgersen sthorger at redhat.com
Fri Nov 27 06:28:41 EST 2015


On 27 November 2015 at 12:16, Vlastimil Elias <velias at redhat.com> wrote:

> Hi,
>
> On 27.11.2015 11:45, Stian Thorgersen wrote:
>
>
>
> On 27 November 2015 at 10:23, Vlastimil Elias < <velias at redhat.com>
> velias at redhat.com> wrote:
>
>> Hi,
>>
>> I have two proposals for cleanup of 'Change password' screen in Account
>> app based on my experience with it:
>>
>> 1. remove Cancel button - it has no any meaning on this screen/form, it
>> only reshowns form with empty fields. And also there is a bug,
>> "Password" field is hidden when it is used, which makes whole form
>> unusable.
>>
>
> +1
>
>
> OK, I'm going to create JIRA and provide PR for this.
>
>
>
>>
>> 2. remove validation of current password (remove "Password" field). Two
>> reasons for this:
>>    - security impact of this check is small. If attacker is able to
>> compromise Account app then he can always change email and then use
>> "Forgot password" feature to change password
>>    - user created over Identity Provider do not know old password
>> (because it is not set) so he is not able to set password using this
>> screen
>> After we implement support for reauthentication (KEYCLOAK-2076) then we
>> should set some reasonable reauth timeout for Account app instead, this
>> will make it more secure at all.
>>
>
> -1 Reset password over email may not be enabled at all. We already allow
> setting password for IdPs login without requiring the existing password.
>
> Fair enough
>
>
> +1 To suggestion from Thomas - we should ask for password when updating
> email at least when recover password over email is enabled.
>
>
> Makes sense, but what to do if user has no password set at this point?
> Don't ask him, or reauthenticate him by other available mechanism?
>
> And there are also other "dangerous" operations in Account app. Eg.
> attacker who gains access to it can disable OTP without any recheck. This
> should be protected too.
> I believe whole Account app should be correctly protected by
> reauthentications. Question is if implement it somehow specifically in the
> app, or resolve this generally as part of KEYCLOAK-2076.
>

Yep, you're right there's other dangerous operations as well.
Re-authentication sounds like the correct approach, rather than requesting
the password again. We could have two configurable timeouts in account
management console. One that requires re-auth for anything (~30 min
default), and another that requires re-auth for sensitive operations (~5
min).

One thing with re-auth is that if it happens when a user submits a form,
you then someone have to also remember the values of the form. Currently
account management is stateless.


>
>
> Vlastimil
>
>
> It seems to be common practice to ask for current password when updating
> the existing password.
>
>
>>
>> If you agree then I can create JIRA issue for this and provide PR.
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/6599ae13/attachment-0001.html 


More information about the keycloak-dev mailing list