[keycloak-user] Login user action lifespan
Niko Köbler
niko at n-k.de
Thu Jul 16 07:45:43 EDT 2015
Hi,
you can set the „login user action lifespan“ in realm settings for the time the link is valid for a user to set a password (or other tasks).
This link seems to be valid and working even if the user has clicked on it and has done the tasks.
Is it possible to configure this link to be valid only once during its lifespan ? Or at least to be invalid as soon the user has set his password/done the login actions?
Otherwise this link could be used to change the password again, after the user has already set his password - possibly from third persons who got known of this link. May be a security issue?
Thanks & regards,
- Niko
More information about the keycloak-user
mailing list