[keycloak-dev] Preventing password managers from filling password fields on forms outside login

[Stian Thorgersen]

Password managers are becoming increasingly naive when it comes to filling
a form with username/password. In fact Firefox's algorithm is as simple as:

* Is there a input type=text followed by input type=password then sure it's
a login form
* autocomplete=false let's ignore that, otherwise those pesky web
developers may stop us from filling username/password

Makes sense right? Well sure it does as long as it's an actual login form.
Problems comes when it's not, for example in Keycloak:

* Admin wants to reset user credentials - Firefox enters admins own password
* Admin wants to register a identity broker - Firefox enters admins
username/password as client id/secret
* User wants to register new user - Firefox enters previously used password
* This is the best one! When admin wants to configure a authenticator and
the config type is a string Firefox enters the password into the hidden
password input, then since the visible text field and the hidden password
field share the same model Angular copies the value from the hidden
password field to the text field and no the admins password is visible in
clear text. More details in KEYCLOAK-2804.

Awesome stuff! Every form with a password field must be a login form
right?!?

Solution is simple. If you create a form that has a input type=password
then add the following to the top of the form:

    <input type="text" readonly value="this is not a login form"
style="display: none;">
    <input type="password" readonly value="this is not a login form"
style="display: none;">

This will make the password manager assume does fields are the
username/password fields and since they are readonly it won't fill them.

Changes to Keycloak here https://github.com/keycloak/keycloak/pull/2600.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160413/7d283bfd/attachment.html