7:12 a.m.
On 8/13/2013 7:36 AM, Stian Thorgersen wrote:
I like the idea of never allowing admins to see passwords. Temporary
passwords are not very nice. It would require to have always have a verified means to
communicate with the user though (email, SMS, others?).
How can you implement forgot credentials then without a verified means
to communicate with the user? (email, sms, *AND* voice).
I wonder how admins feel about the "Security Questions" (i.e. mother's
maiden name) Then there would be no need to send an email.
We should also have an option on the realm that self-registered users
are required to confirm their email address (send email with verification link).
Lol, this will be one long-ass oauth redirection protocol and client_id,
state, redirect_uri etc... parameters are gonna be passed around over
and over....
Thinking about security issues, at the moment the login form shows a
error message that says username is invalid. This allows attackers to confirm the
existence of user accounts which is not good. It should simple state "invalid
username/password".
K, logged a JIRA:
https://issues.jboss.org/browse/KEYCLOAK-31
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 12 August, 2013 10:12:31 PM
> Subject: [keycloak-dev] credential management
>
> Registration
> * new password and password confirmation
> * TOTP secret and QR generation and confirmation.
>
> Forgot password
> * Email sent to user with URL enclosed
> * If required by realm, ask one or more random questions i.e.:
> - What is your mother's maiden name?
> - What is the last 4 digits of your social security number?
> - What is the name of your first pet?
> - When did you lose your virginity?
> - What is your birthday?
> * User enters new password and confirmation
>
> Change Password:
> * Old Password
> * New Password
> * Confirm new Password
>
> Lost Authenticator
> * Admin must create a temporary token and speak it to user
> * User can log in with this temporary token and head to their account
> management page. TOken expires after a certain amount of time.
> or
> * Ask one or more random questions as in Forgot password
>
> Admin user creation:
> * Email with a link is sent to user. Link prompts user for credential
> set up.
> * Or. Generate a temporary password that must reset by user on next
> login. Temporary password is spoken to user or given to them by some
> other means.
>
>
> When a user logs in keycloak must check to see if
> * A temporary password was created and the user must enter a new one
> * Registration is incomplete and new credentials must be set up, i.e. an
> authenticator.
>
> Are there any security holes here? ONe idea I have is that the admin
> would never ever see a credential. For user creation, a temporary
> password is emailed to the user and never seen by the admin or the user
> would have to register.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com