[keycloak-user] Login user action lifespan

Niko Köbler niko at n-k.de
Thu Jul 16 08:30:31 EDT 2015 

sorry, I forgot to mention this step, I actually changed the password (set it the first time)

In the meantime I tried this loop (click link in mail, change password, log in) more than 5 times… it still works!


> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> 
> 
> ----- Original Message -----
>> From: "Niko Köbler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>> 
>> We are still on 1.2.0
>> 
>> Steps to reproduce:
>> - create a user via Admin API
>> - trigger to send the password-reset mail via Admin API
>> - click on the link in the mail to set the password
>> - try to log in -> works
> 
> Have you actually changed the password here, or just log in?
> 
>> - go back to your mails, click again on the password-reset link in the mail
>> - change your password
>> - try to log in with old password -> doesn’t work
>> - try to log in with new password -> works
>> - and so on…
>> 
>> 
>> 
>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
>>> 
>>> That's definitively not correct behavior. What version are you on? Can you
>>> give me exact steps to reproduce?
>>> 
>>> ----- Original Message -----
>>>> From: "Niko Köbler" <niko at n-k.de>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>> 
>>>> It is valid.
>>>> I can change my password again and again…
>>>> 
>>>> 
>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>> 
>>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>>> once.
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Niko Köbler" <niko at n-k.de>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> you can set the „login user action lifespan“ in realm settings for the
>>>>>> time
>>>>>> the link is valid for a user to set a password (or other tasks).
>>>>>> This link seems to be valid and working even if the user has clicked on
>>>>>> it
>>>>>> and has done the tasks.
>>>>>> 
>>>>>> Is it possible to configure this link to be valid only once during its
>>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>>> password/done the login actions?
>>>>>> Otherwise this link could be used to change the password again, after
>>>>>> the
>>>>>> user has already set his password - possibly from third persons who got
>>>>>> known of this link. May be a security issue?
>>>>>> 
>>>>>> Thanks & regards,
>>>>>> - Niko
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> 
>> 
>>

More information about the keycloak-user mailing list