<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
<div class="moz-cite-prefix">On 27.11.2015 11:45, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 10:23,
Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have two proposals for cleanup of 'Change password'
screen in Account<br>
app based on my experience with it:<br>
<br>
1. remove Cancel button - it has no any meaning on this
screen/form, it<br>
only reshowns form with empty fields. And also there is a
bug,<br>
"Password" field is hidden when it is used, which makes
whole form unusable.<br>
</blockquote>
<div><br>
</div>
<div>+1</div>
</div>
</div>
</div>
</blockquote>
<br>
OK, I'm going to create JIRA and provide PR for this.<br>
<br>
<blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2. remove validation of current password (remove
"Password" field). Two<br>
reasons for this:<br>
- security impact of this check is small. If attacker
is able to<br>
compromise Account app then he can always change email and
then use<br>
"Forgot password" feature to change password<br>
- user created over Identity Provider do not know old
password<br>
(because it is not set) so he is not able to set password
using this screen<br>
After we implement support for reauthentication
(KEYCLOAK-2076) then we<br>
should set some reasonable reauth timeout for Account app
instead, this<br>
will make it more secure at all.<br>
</blockquote>
<div><br>
</div>
<div>-1 Reset password over email may not be enabled at all.
We already allow setting password for IdPs login without
requiring the existing password.</div>
</div>
</div>
</div>
</blockquote>
Fair enough<br>
<blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>+1 To suggestion from Thomas - we should ask for
password when updating email at least when recover
password over email is enabled.</div>
</div>
</div>
</div>
</blockquote>
<br>
Makes sense, but what to do if user has no password set at this
point? Don't ask him, or reauthenticate him by other available
mechanism?<br>
<br>
And there are also other "dangerous" operations in Account app. Eg.
attacker who gains access to it can disable OTP without any recheck.
This should be protected too.<br>
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow specifically
in the app, or resolve this generally as part of KEYCLOAK-2076.<br>
<br>
Vlastimil<br>
<br>
<blockquote
cite="mid:CAJgngAfmBXXsEiuKJNTrrUeq9jT1ChLHpKusyh8OwSSw_ddxtQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>It seems to be common practice to ask for current
password when updating the existing password.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you agree then I can create JIRA issue for this and
provide PR.<br>
<span class="HOEnZb"><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</body>
</html>