[keycloak-user] Login user action lifespan

Niko Köbler niko at n-k.de
Thu Jul 16 08:24:40 EDT 2015 

We are still on 1.2.0

Steps to reproduce:
- create a user via Admin API
- trigger to send the password-reset mail via Admin API
- click on the link in the mail to set the password
- try to log in -> works
- go back to your mails, click again on the password-reset link in the mail
- change your password
- try to log in with old password -> doesn’t work
- try to log in with new password -> works
- and so on…



> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> That's definitively not correct behavior. What version are you on? Can you give me exact steps to reproduce?
> 
> ----- Original Message -----
>> From: "Niko Köbler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>> 
>> It is valid.
>> I can change my password again and again…
>> 
>> 
>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>> 
>>> Does it seem that it is valid, or is it valid? It should only be usable
>>> once.
>>> 
>>> ----- Original Message -----
>>>> From: "Niko Köbler" <niko at n-k.de>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>> Subject: [keycloak-user] Login user action lifespan
>>>> 
>>>> Hi,
>>>> 
>>>> you can set the „login user action lifespan“ in realm settings for the
>>>> time
>>>> the link is valid for a user to set a password (or other tasks).
>>>> This link seems to be valid and working even if the user has clicked on it
>>>> and has done the tasks.
>>>> 
>>>> Is it possible to configure this link to be valid only once during its
>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>> password/done the login actions?
>>>> Otherwise this link could be used to change the password again, after the
>>>> user has already set his password - possibly from third persons who got
>>>> known of this link. May be a security issue?
>>>> 
>>>> Thanks & regards,
>>>> - Niko
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>>

More information about the keycloak-user mailing list