<div dir="ltr">+1 To setting re-auth after a configurable time for both admin console and account mngmt. I still think we should ask for password though.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 11:45, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 27 November 2015 at 10:23, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have two proposals for cleanup of 'Change password' screen in Account<br>
app based on my experience with it:<br>
<br>
1. remove Cancel button - it has no any meaning on this screen/form, it<br>
only reshowns form with empty fields. And also there is a bug,<br>
"Password" field is hidden when it is used, which makes whole form unusable.<br></blockquote><div><br></div></span><div>+1</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2. remove validation of current password (remove "Password" field). Two<br>
reasons for this:<br>
- security impact of this check is small. If attacker is able to<br>
compromise Account app then he can always change email and then use<br>
"Forgot password" feature to change password<br>
- user created over Identity Provider do not know old password<br>
(because it is not set) so he is not able to set password using this screen<br>
After we implement support for reauthentication (KEYCLOAK-2076) then we<br>
should set some reasonable reauth timeout for Account app instead, this<br>
will make it more secure at all.<br></blockquote><div><br></div></span><div>-1 Reset password over email may not be enabled at all. We already allow setting password for IdPs login without requiring the existing password.</div><div><br></div><div>+1 To suggestion from Thomas - we should ask for password when updating email at least when recover password over email is enabled.</div><div><br></div><div>It seems to be common practice to ask for current password when updating the existing password.</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you agree then I can create JIRA issue for this and provide PR.<br>
<span><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></span></div><br></div></div>
</blockquote></div><br></div>