1:48 p.m.
Yes, the flow should be:
* User tries to login to an application and realizes that he doesn't remember
password
* Click on reset password
You mean the "Forgot password" link in the
login page, right?
* A page shows that an email has been sent to the user (including a
link to resend)
Don't we need a page for the user to fill in his password? This
is the common practice. Forgot password is a link and not an action in the login screen,
so the user expects to be redirected to a page. (See attachment 1 and 2)
* The user then receives an email with a link that the user clicks on
I made a proposal. See attachment 3.
* When the user has clicked on the link the user is brought to the
reset password form and can insert a new password (and password confirmation)
Attachment 4
* When the user submits the reset password form the user is logged in
to the realm and redirected to the application
Some applications give a feedback
that the password has been saved and redirect the user to the login page. Isn't that
because of some security issue? (See attachment 5).
How long the user has to click the link in the email depends on the
Realm settings. By default I think it should be 15 minutes (or something along those
lines).
I put this information in the email (attachment 3).
There's also other cases:
* Admin initiates reset on behalf of user - in this case a user gets a email, but once
the password is changed the user is redirected to the account management pages
Proposal in attachement 6
* In the above scenario if there was not a validated email associated
with the user the user is given a temporary password by the admin - on the first login
with this temporary password the user is required to change it
Attachment 7
* A password could have expired, in which case the user is required
to change it on next long
Attachment 1:
Attachment 2: feedback
Attachment 3: email
-----
Keycloak Password Reset
Hi Gabriel,
Someone just requested to change your Keycloak account's password.
If this was you, click the link below to set a new password:
https://www.keycloak.com/forgot?forgot_key=wOhBexgXAiY4iKdetfbDaP6kCAhIp-Mq
This link will expire within 15 minutes. If you don't want to reset your password,
just ignore this message and nothing will be changed.
Thanks,
The Keycloak Team
----
Attachment 4
Attachment 5
Attachment 6:
-----
Keycloak Password Change
Hi Gabriel,
Your password has been changed by a Keycloak administrator.
Please access your account and update your password in the link below:
https://www.keycloak.com/forgot?forgot_key=wOhBexgXAiY4iKdetfbDaP6kCAhIp-Mq
Thanks,
The Keycloak Team
----
Attachment 7
What do you think?
Gabriel
--
Gabriel Cardoso
GateIn Portal | User Experience Designer
