5:54 a.m.
This is probably what you've said already Bill, but just to make sure:
1. Associate the required information to create a token from an access code with the user
session (basically what's in AccessCodeEntry now)
2. The code that is sent as the query param only contains id, session-id, timestamp
3. Once we receive a code to swap for a token we remove the information added in 1 from
the user session and use this to generate the token
Couple questions:
* Do we do this just for emails? or also for the code sent in login redirects?
* Do we really need session-id and timestamp, or isn't id enough?
* Isn't this pretty much just going back to state-full TokenManager except we're
saving it in the UserSession instead of TokenManager itself?
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "Bill Burke"
<bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 16 July, 2014 11:34:39 AM
Subject: Re: [keycloak-dev] Reset password and verify email links are to long
+1 to associate code with the UserSession and remove it once code is
exchanged. This will also help to fix the issue we discussed before,
that now it's possible to exchange same code multiple times, which is
not in line with OAuth2 specs . Created
https://issues.jboss.org/browse/KEYCLOAK-560 and linked with
https://issues.jboss.org/browse/KEYCLOAK-542
Marek
On 16.7.2014 10:58, Stian Thorgersen wrote:
> Are you talking about reducing the size of the code altogether or just for
> the email links?
>
> I was thinking about just saving the base64 encoded access-code with the
> user session temporarily, then sending the the access code id (36 char
> uuid as before) in the email. First time the user clicks on the link the
> access code would be removed from the session, so this would also make the
> links a one-time-click thing.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 15 July, 2014 6:14:45 PM
>> Subject: Re: [keycloak-dev] Reset password and verify email links are to
>> long
>>
>>
>>
>> On 7/15/2014 12:34 PM, Stian Thorgersen wrote:
>>>> If that's what you're saying +1.
>>> Are you referring to option 1, storing the required info in the user
>>> session temporarily? Not sure I understand the details about what
you're
>>> proposing though.
>>>
>> Yes, option 1. AccessCode should be associated with the user session.
>> Appropriate state needs to be stored in the session as AccessCode
>> currently saves a lot of stuff.
>>
>> Then the code only has to contain:
>>
>> id, session-id, timestamp
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev