[keycloak-dev] refactored admin reset email and required actions

Bill Burke bburke at redhat.com
Wed Sep 2 09:12:07 EDT 2015 


On 9/1/2015 2:04 AM, Stian Thorgersen wrote:
>> I'll repeat myself.  There may be more than one credential the
>> admin/user needs/wants to reset.  These credentials may also be custom
>> ones written by an system integrator.  I don't want to introduce yet
>> another SPI for credential recovery when it would work exactly the same
>> way as required actions.  Now, there is one place the admin can email
>> the user to perform any specific action.
>
> Recovering credentials is not a required action. It's an optional action the user may do, but the user should also be allowed to not do it. Also, it belongs on the credentials tab. I'm fairly sure no one is going to find it otherwise.
>
> It doesn't have to be yet another SPI, but maybe we could add a type enum or something to the current SPI. Also, we could add support for optional actions?
>
>>
>> If you want to create a separate SPI and way of doing this to support
>> reset of more than just password, feel free to create that SPI, extend
>> the Model API, write the tests, update the docs and create new examples
>> and make sure the flow is configurable. I think this approach is fine.
>
> I know we have a lot of work to do, but usability has to always be considered. One of the main reasons I was interested in Keycloak was to create something that would make security easier for users, admins and developers. I feel that if we continue adding and changing things without considering usability we could just end up with being yet another hard to use product with all sorts of features.
>

I was thinking about this a little more and I thought about the ability 
to add required actions to the ClientSession.  Those required actions 
would only have to be executed within that client session login and 
could be aborted.  Then user forgot password and admin reset would only 
set required actions for the clientsession and the actions become temporary.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list