Hi Thomas,
On 27.11.2015 11:05, Thomas Raehalme wrote:
Hi!
On Fri, Nov 27, 2015 at 11:23 AM, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
2. remove validation of current password (remove "Password"
field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using
this screen
After we implement support for reauthentication (KEYCLOAK-2076)
then we
should set some reasonable reauth timeout for Account app instead,
this
will make it more secure at all.
Wouldn't it make more sense to add password validation when changing
email?
Yes, this is why I write about use of general reauthentication mechanism
as defined in KEYCLOAK-2076 for whole Account app.
It will work even for other authentication types - some keycloak
instances may be configured not to use passwords at all.
Vl
Best regards,
Thomas
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team