<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 12:16, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi,<span class=""><br>
<br>
<div>On 27.11.2015 11:45, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 10:23,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have two proposals for cleanup of 'Change password'
screen in Account<br>
app based on my experience with it:<br>
<br>
1. remove Cancel button - it has no any meaning on this
screen/form, it<br>
only reshowns form with empty fields. And also there is a
bug,<br>
"Password" field is hidden when it is used, which makes
whole form unusable.<br>
</blockquote>
<div><br>
</div>
<div>+1</div>
</div>
</div>
</div>
</blockquote>
<br></span>
OK, I'm going to create JIRA and provide PR for this.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2. remove validation of current password (remove
"Password" field). Two<br>
reasons for this:<br>
- security impact of this check is small. If attacker
is able to<br>
compromise Account app then he can always change email and
then use<br>
"Forgot password" feature to change password<br>
- user created over Identity Provider do not know old
password<br>
(because it is not set) so he is not able to set password
using this screen<br>
After we implement support for reauthentication
(KEYCLOAK-2076) then we<br>
should set some reasonable reauth timeout for Account app
instead, this<br>
will make it more secure at all.<br>
</blockquote>
<div><br>
</div>
<div>-1 Reset password over email may not be enabled at all.
We already allow setting password for IdPs login without
requiring the existing password.</div>
</div>
</div>
</div>
</blockquote></span>
Fair enough<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>+1 To suggestion from Thomas - we should ask for
password when updating email at least when recover
password over email is enabled.</div>
</div>
</div>
</div>
</blockquote>
<br></span>
Makes sense, but what to do if user has no password set at this
point? Don't ask him, or reauthenticate him by other available
mechanism?<br>
<br>
And there are also other "dangerous" operations in Account app. Eg.
attacker who gains access to it can disable OTP without any recheck.
This should be protected too.<br>
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow specifically
in the app, or resolve this generally as part of KEYCLOAK-2076.</div></blockquote><div><br></div><div>Yep, you're right there's other dangerous operations as well. Re-authentication sounds like the correct approach, rather than requesting the password again. We could have two configurable timeouts in account management console. One that requires re-auth for anything (~30 min default), and another that requires re-auth for sensitive operations (~5 min).</div><div><br></div><div>One thing with re-auth is that if it happens when a user submits a form, you then someone have to also remember the values of the form. Currently account management is stateless.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class="HOEnZb"><font color="#888888"><br>
<br>
Vlastimil</font></span><span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>It seems to be common practice to ask for current
password when updating the existing password.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you agree then I can create JIRA issue for this and
provide PR.<br>
<span><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</span></div>
</blockquote></div><br></div></div>