[keycloak-user] Login user action lifespan
Niko Köbler
niko at n-k.de
Thu Jul 16 08:44:05 EDT 2015
Done.
https://issues.jboss.org/browse/KEYCLOAK-1576 <https://issues.jboss.org/browse/KEYCLOAK-1576>
Thanks!
> Am 16.07.2015 um 14:32 schrieb Stian Thorgersen <stian at redhat.com>:
>
> Can you create a JIRA for this please?
>
> ----- Original Message -----
>> From: "Niko Köbler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 2:30:31 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>>
>> sorry, I forgot to mention this step, I actually changed the password (set it
>> the first time)
>>
>> In the meantime I tried this loop (click link in mail, change password, log
>> in) more than 5 times… it still works!
>>
>>
>>> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Niko Köbler" <niko at n-k.de>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>>
>>>> We are still on 1.2.0
>>>>
>>>> Steps to reproduce:
>>>> - create a user via Admin API
>>>> - trigger to send the password-reset mail via Admin API
>>>> - click on the link in the mail to set the password
>>>> - try to log in -> works
>>>
>>> Have you actually changed the password here, or just log in?
>>>
>>>> - go back to your mails, click again on the password-reset link in the
>>>> mail
>>>> - change your password
>>>> - try to log in with old password -> doesn’t work
>>>> - try to log in with new password -> works
>>>> - and so on…
>>>>
>>>>
>>>>
>>>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>>
>>>>> That's definitively not correct behavior. What version are you on? Can
>>>>> you
>>>>> give me exact steps to reproduce?
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Niko Köbler" <niko at n-k.de>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>>>>
>>>>>> It is valid.
>>>>>> I can change my password again and again…
>>>>>>
>>>>>>
>>>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>>>>
>>>>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>>>>> once.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Niko Köbler" <niko at n-k.de>
>>>>>>>> To: keycloak-user at lists.jboss.org
>>>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> you can set the „login user action lifespan“ in realm settings for the
>>>>>>>> time
>>>>>>>> the link is valid for a user to set a password (or other tasks).
>>>>>>>> This link seems to be valid and working even if the user has clicked
>>>>>>>> on
>>>>>>>> it
>>>>>>>> and has done the tasks.
>>>>>>>>
>>>>>>>> Is it possible to configure this link to be valid only once during its
>>>>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>>>>> password/done the login actions?
>>>>>>>> Otherwise this link could be used to change the password again, after
>>>>>>>> the
>>>>>>>> user has already set his password - possibly from third persons who
>>>>>>>> got
>>>>>>>> known of this link. May be a security issue?
>>>>>>>>
>>>>>>>> Thanks & regards,
>>>>>>>> - Niko
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150716/69acdcbe/attachment-0001.html
More information about the keycloak-user
mailing list