Re: [keycloak-dev] Reset password and verify email links are to long

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 15 July, 2014 4:59:02 PM Subject: Re: [keycloak-dev] Reset password and verify email links are to long Can you wait to fix this? I have changes everywhere. :)

But, I thought AccessCode could be: id, session-id, timestamp UserSession has a Enum login-state (logging-in, logged-in, etc.) and is associated with AccessCode and stores any information that is needed. FYI, the token is generated right now so scope doesn't have to be recalculated. Maybe this isn't really an optimization as signature generation would take a lot longer :) If that's what you're saying +1.

On 7/15/2014 11:49 AM, Stian Thorgersen wrote: > After the token manager was made stateless the full code is sent in emails > (reset password and verify email), this is not very nice as it's very > long. > > Two ideas on how to fix this: > > 1. Save the code (user sessions?) and convert back to sending just the code > id in the email > 2. Send the info required to create a code (clientId, scope, state and > redirect encoded with the realm key) > 3. Send a short code that has to be copied/pasted back into the current > login form > > My thoughts are: > > 1. Nice and simple, but requires "storing" the code temporarily. Another > thing we could do is to associate it with the session, this would make > sure the email can only be clicked by the user that actually initiated it. > 2. Not so nice as I think it'll still create too long links (especially if > redirect and state are big). > 3. Kinda nice, but changes the way it all works. This may actually be the > optimal and more secure way to do it though. > > See https://issues.jboss.org/browse/KEYCLOAK-542 for how big the link in > the email actually is ;) > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev