Re: [keycloak-dev] Looking for a workaround...
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, January 26, 2015 1:37:53 PM
Subject: [keycloak-dev] Looking for a workaround...
Hi all,
I receive a lot of bug reports from our test team because of the following
two issues:
- Reset password leads to 400 Bad Request (
https://issues.jboss.org/browse/KEYCLOAK-1014 )
This is a tricky one - we can't ignore the state variable as that would make it
vulnerable.
We could probably come up with an alternative way to generate and verify state variable
though. Could be a HMAC for example.
- Login attempt after "Login user action lifespan" leads to
"Invalid username
or password." ( https://issues.jboss.org/browse/KEYCLOAK-1015 )
I agree that the error message is not very good, but I disagree with removing the
expiration. Why not increase it to say 30 min? That's probably a more sensible timeout
for reset password as well.
Do you have any good ideas for a workaround?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev