<div dir="ltr">Hmm.. re-auth request for rest endpoints is even more tricky. I think a rest endpoint would just have to return a 401? Then it's up to the client to figure out that it needs to re-authenticate.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 13:22, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div><div class="h5">
<br>
<br>
<div>On 27.11.2015 12:28, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 12:16,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<span><br>
<br>
<div>On 27.11.2015 11:45, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at
10:23, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have two proposals for cleanup of 'Change
password' screen in Account<br>
app based on my experience with it:<br>
<br>
1. remove Cancel button - it has no any
meaning on this screen/form, it<br>
only reshowns form with empty fields. And
also there is a bug,<br>
"Password" field is hidden when it is used,
which makes whole form unusable.<br>
</blockquote>
<div><br>
</div>
<div>+1</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> OK, I'm going to create JIRA and provide PR for
this.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
2. remove validation of current password
(remove "Password" field). Two<br>
reasons for this:<br>
- security impact of this check is small.
If attacker is able to<br>
compromise Account app then he can always
change email and then use<br>
"Forgot password" feature to change password<br>
- user created over Identity Provider do
not know old password<br>
(because it is not set) so he is not able to
set password using this screen<br>
After we implement support for
reauthentication (KEYCLOAK-2076) then we<br>
should set some reasonable reauth timeout
for Account app instead, this<br>
will make it more secure at all.<br>
</blockquote>
<div><br>
</div>
<div>-1 Reset password over email may not be
enabled at all. We already allow setting
password for IdPs login without requiring
the existing password.</div>
</div>
</div>
</div>
</blockquote>
</span> Fair enough<span><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>+1 To suggestion from Thomas - we should
ask for password when updating email at
least when recover password over email is
enabled.</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> Makes sense, but what to do if user has no
password set at this point? Don't ask him, or
reauthenticate him by other available mechanism?<br>
<br>
And there are also other "dangerous" operations in
Account app. Eg. attacker who gains access to it can
disable OTP without any recheck. This should be
protected too.<br>
I believe whole Account app should be correctly
protected by reauthentications. Question is if implement
it somehow specifically in the app, or resolve this
generally as part of KEYCLOAK-2076.</div>
</blockquote>
<div><br>
</div>
<div>Yep, you're right there's other dangerous operations as
well. Re-authentication sounds like the correct approach,
rather than requesting the password again. We could have
two configurable timeouts in account management console.
One that requires re-auth for anything (~30 min default),
and another that requires re-auth for sensitive operations
(~5 min).</div>
<div><br>
</div>
<div>One thing with re-auth is that if it happens when a
user submits a form, you then someone have to also
remember the values of the form. Currently account
management is stateless.</div>
</div>
</div>
</div>
</blockquote>
<br></div></div>
Yep, implementing reauthentication schemes correctly in client apps
may be tricky, mainly for POST requests (and even worse posts with
file upload) and AJAX call handlers etc. <br>
Beside Keycloak Account app we should try to provide reasonable
support in Keycloak adapters, but it may be tricky as related Java
EE specifications (JAAS subsystems, auth related things in Java
Servlet and EJB spec ) do not count with these more complicated
schemes too much.<br>
<br>
And I also thought if reauthentication scheme should be somehow
implemented on REST API levels also.<br>
Eg. some REST endpoint operation will define that it needs reauth
with some timeout. If client app call it with Bearer token then it
should be able to tests last auth timestamp (which should be
possible as it may be in the token as claim) and propagate back info
that it needs reauth (how to map this to HTTP?). Support for this
should be added to the framework like RestEasy then.<br>
<br>
Vl.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><font color="#888888"><br>
<br>
Vlastimil</font></span><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>It seems to be common practice to ask for
current password when updating the existing
password.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
If you agree then I can create JIRA issue
for this and provide PR.<br>
<span><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</span></div>
</blockquote></div><br></div>