<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi,<br>
    <br>
    <div class="moz-cite-prefix">On 27.11.2015 11:45, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On 27 November 2015 at 10:23,
            Vlastimil Elias <span dir="ltr">&lt;<a
                moz-do-not-send="true" href="mailto:velias@redhat.com"
                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>&gt;</span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
              <br>
              I have two proposals for cleanup of 'Change password'
              screen in Account<br>
              app based on my experience with it:<br>
              <br>
              1. remove Cancel button - it has no any meaning on this
              screen/form, it<br>
              only reshowns form with empty fields. And also there is a
              bug,<br>
              "Password" field is hidden when it is used, which makes
              whole form unusable.<br>
            </blockquote>
            <div><br>
            </div>
            <div>+1</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    OK, I'm going to create JIRA and provide PR for this.<br>
    <br>
    <blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <br>
              2. remove validation of current password (remove
              "Password" field). Two<br>
              reasons for this:<br>
                 - security impact of this check is small. If attacker
              is able to<br>
              compromise Account app then he can always change email and
              then use<br>
              "Forgot password" feature to change password<br>
                 - user created over Identity Provider do not know old
              password<br>
              (because it is not set) so he is not able to set password
              using this screen<br>
              After we implement support for reauthentication
              (KEYCLOAK-2076) then we<br>
              should set some reasonable reauth timeout for Account app
              instead, this<br>
              will make it more secure at all.<br>
            </blockquote>
            <div><br>
            </div>
            <div>-1 Reset password over email may not be enabled at all.
              We already allow setting password for IdPs login without
              requiring the existing password.</div>
          </div>
        </div>
      </div>
    </blockquote>
    Fair enough<br>
    <blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div><br>
            </div>
            <div>+1 To suggestion from Thomas - we should ask for
              password when updating email at least when recover
              password over email is enabled.</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Makes sense, but what to do if user has no password set at this
    point? Don't ask him, or reauthenticate him by other available
    mechanism?<br>
    <br>
    And there are also other "dangerous" operations in Account app. Eg.
    attacker who gains access to it can disable OTP without any recheck.
    This should be protected too.<br>
    I believe whole Account app should be correctly protected by
    reauthentications. Question is if implement it somehow specifically
    in the app, or resolve this generally as part of KEYCLOAK-2076.<br>
    <br>
    Vlastimil<br>
    <br>
    <blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div><br>
            </div>
            <div>It seems to be common practice to ask for current
              password when updating the existing password.</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <br>
              If you agree then I can create JIRA issue for this and
              provide PR.<br>
              <span class="HOEnZb"><font color="#888888"><br>
                  Vlastimil<br>
                  <br>
                  --<br>
                  Vlastimil Elias<br>
                  Principal Software Engineer<br>
                  Developer Portal Engineering Team<br>
                  <br>
                  <br>
                  <br>
                  _______________________________________________<br>
                  keycloak-dev mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
                  <a moz-do-not-send="true"
                    href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
                    rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
                </font></span></blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
  </body>
</html>