<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 27.11.2015 13:25, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAeyVh97FhYY-WPSRyqxVpw8ksNZWrLWg37UqE-4BsJmUw@mail.gmail.com"
type="cite">
<div dir="ltr">Hmm.. re-auth request for rest endpoints is even
more tricky. I think a rest endpoint would just have to return a
401? Then it's up to the client to figure out that it needs to
re-authenticate.</div>
</blockquote>
<br>
Yep, 401 matches best probably, but at least hint in some response
header should be cool, probably in WWW-Authenticate as it is
mandatory for 401 ;-) But this is the future, proper Keycloak server
support is necessary first ;-)<br>
<br>
Vl.<br>
<br>
<blockquote
cite="mid:CAJgngAeyVh97FhYY-WPSRyqxVpw8ksNZWrLWg37UqE-4BsJmUw@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 13:22, Vlastimil
Elias <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div class="h5"> <br>
<br>
<div>On 27.11.2015 12:28, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at
12:16, Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<span><br>
<br>
<div>On 27.11.2015 11:45, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27
November 2015 at 10:23,
Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">Hi,<br>
<br>
I have two proposals for
cleanup of 'Change password'
screen in Account<br>
app based on my experience
with it:<br>
<br>
1. remove Cancel button - it
has no any meaning on this
screen/form, it<br>
only reshowns form with empty
fields. And also there is a
bug,<br>
"Password" field is hidden
when it is used, which makes
whole form unusable.<br>
</blockquote>
<div><br>
</div>
<div>+1</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> OK, I'm going to create JIRA and
provide PR for this.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
2. remove validation of
current password (remove
"Password" field). Two<br>
reasons for this:<br>
- security impact of this
check is small. If attacker is
able to<br>
compromise Account app then he
can always change email and
then use<br>
"Forgot password" feature to
change password<br>
- user created over
Identity Provider do not know
old password<br>
(because it is not set) so he
is not able to set password
using this screen<br>
After we implement support for
reauthentication
(KEYCLOAK-2076) then we<br>
should set some reasonable
reauth timeout for Account app
instead, this<br>
will make it more secure at
all.<br>
</blockquote>
<div><br>
</div>
<div>-1 Reset password over
email may not be enabled at
all. We already allow setting
password for IdPs login
without requiring the existing
password.</div>
</div>
</div>
</div>
</blockquote>
</span> Fair enough<span><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>+1 To suggestion from
Thomas - we should ask for
password when updating email
at least when recover password
over email is enabled.</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> Makes sense, but what to do if
user has no password set at this point?
Don't ask him, or reauthenticate him by
other available mechanism?<br>
<br>
And there are also other "dangerous"
operations in Account app. Eg. attacker
who gains access to it can disable OTP
without any recheck. This should be
protected too.<br>
I believe whole Account app should be
correctly protected by reauthentications.
Question is if implement it somehow
specifically in the app, or resolve this
generally as part of KEYCLOAK-2076.</div>
</blockquote>
<div><br>
</div>
<div>Yep, you're right there's other dangerous
operations as well. Re-authentication sounds
like the correct approach, rather than
requesting the password again. We could have
two configurable timeouts in account
management console. One that requires
re-auth for anything (~30 min default), and
another that requires re-auth for sensitive
operations (~5 min).</div>
<div><br>
</div>
<div>One thing with re-auth is that if it
happens when a user submits a form, you then
someone have to also remember the values of
the form. Currently account management is
stateless.</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
Yep, implementing reauthentication schemes correctly in
client apps may be tricky, mainly for POST requests (and
even worse posts with file upload) and AJAX call handlers
etc. <br>
Beside Keycloak Account app we should try to provide
reasonable support in Keycloak adapters, but it may be
tricky as related Java EE specifications (JAAS subsystems,
auth related things in Java Servlet and EJB spec ) do not
count with these more complicated schemes too much.<br>
<br>
And I also thought if reauthentication scheme should be
somehow implemented on REST API levels also.<br>
Eg. some REST endpoint operation will define that it needs
reauth with some timeout. If client app call it with
Bearer token then it should be able to tests last auth
timestamp (which should be possible as it may be in the
token as claim) and propagate back info that it needs
reauth (how to map this to HTTP?). Support for this should
be added to the framework like RestEasy then.<br>
<br>
Vl.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><font
color="#888888"><br>
<br>
Vlastimil</font></span><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>It seems to be common
practice to ask for current
password when updating the
existing password.</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
If you agree then I can create
JIRA issue for this and provide
PR.<br>
<span><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering
Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</body>
</html>