<html><body><div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content">----- Original Message -----<br></span></span><blockquote class="quoted-plain-text" type="cite">From: "Michael Gerber" <<a href="mailto:gerbermichi@me.com" data-mce-href="mailto:gerbermichi@me.com">gerbermichi@me.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" data-mce-href="mailto:stian@redhat.com">stian@redhat.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">Sent: Monday, January 26, 2015 2:10:59 PM</blockquote><blockquote class="quoted-plain-text" type="cite">Subject: Re: [keycloak-dev] Looking for a workaround...</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">----- Original Message -----</blockquote><blockquote class="quoted-plain-text" type="cite">From: "Michael Gerber" <<a href="mailto:gerbermichi@me.com" data-mce-href="mailto:gerbermichi@me.com">gerbermichi@me.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">To: <a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><div style="width:0px; height:0px;"> </div></blockquote><blockquote class="quoted-plain-text" type="cite">Sent: Monday, January 26, 2015 1:37:53 PM</blockquote><blockquote class="quoted-plain-text" type="cite">Subject: [keycloak-dev] Looking for a workaround...</blockquote><blockquote class="quoted-plain-text" type="cite">Hi all,</blockquote><blockquote class="quoted-plain-text" type="cite">I receive a lot of bug reports from our test team because of the following</blockquote><blockquote class="quoted-plain-text" type="cite">two issues:</blockquote><blockquote class="quoted-plain-text" type="cite">- Reset password leads to 400 Bad Request (</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://issues.jboss.org/browse/KEYCLOAK-1014" data-mce-href="https://issues.jboss.org/browse/KEYCLOAK-1014">https://issues.jboss.org/browse/KEYCLOAK-1014</a> )</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">This is a tricky one - we can't ignore the state variable as that would make</blockquote><blockquote class="quoted-plain-text" type="cite">it vulnerable.</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">We could probably come up with an alternative way to generate and verify</blockquote><blockquote class="quoted-plain-text" type="cite">state variable though. Could be a HMAC for example.</blockquote><blockquote class="quoted-plain-text" type="cite">So you would remove the state cookie?</blockquote><span class="body-text-content"><span class="body-text-content"><br>It could potentially be a solution - I started a separate thread on keycloak-dev to discuss this.<br><br></span></span><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">- Login attempt after "Login user action lifespan" leads to "Invalid username</blockquote><blockquote class="quoted-plain-text" type="cite">or password." ( <a href="https://issues.jboss.org/browse/KEYCLOAK-1015" data-mce-href="https://issues.jboss.org/browse/KEYCLOAK-1015">https://issues.jboss.org/browse/KEYCLOAK-1015</a> )</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">I agree that the error message is not very good, but I disagree with removing</blockquote><blockquote class="quoted-plain-text" type="cite">the expiration. Why not increase it to say 30 min? That's probably a more</blockquote><blockquote class="quoted-plain-text" type="cite">sensible timeout for reset password as well.</blockquote><blockquote class="quoted-plain-text" type="cite">I prefer an expiration of 5 min for the password update process, but thats a</blockquote><blockquote class="quoted-plain-text" type="cite">bit short for the authentication or password reset process.</blockquote><blockquote class="quoted-plain-text" type="cite">I think the best solution would be different expiration times for the</blockquote><blockquote class="quoted-plain-text" type="cite">different processes, wouldn't it?</blockquote><span class="body-text-content"><span class="body-text-content"><br>Maybe - we do try to keep configuration options to a minimum as these introduce complexity as well as potentials for bug/security issues.</span></span></div></div></blockquote><span> </span><br>I totaly understand that. <br>You have currently the following actions:<br>OAUTH_GRANT,<br>CODE_TO_TOKEN,<br>VERIFY_EMAIL,<br>UPDATE_PROFILE,<br>CONFIGURE_TOTP,<br>UPDATE_PASSWORD,<br>RECOVER_PASSWORD,<br>AUTHENTICATE,<br>SOCIAL_CALLBACK<br><br>And it doesn't make sense to have a different conffiguration for every one...<br>But maybe we can group it into different groups?<br><br><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content"><br><br></span></span><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">Do you have any good ideas for a workaround?</blockquote><blockquote class="quoted-plain-text" type="cite">Best</blockquote><blockquote class="quoted-plain-text" type="cite">Michael</blockquote><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak-dev mailing list</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><div style="width:0px; height:0px;"> </div></blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><div style="width:0px; height:0px;"> </div></blockquote></div></div></blockquote></div></div></body></html>