Hi!

My case is next: We have mobile project, which has no website. For some politics we cannot use any web forms for this project ( Keycloak forms too ) and app interact only with our rest service. When user reset credentials, he should receive email with some OTP code ( not link ) to enter it into mobile app.

Another reason why not link is that user must stay in mobile app context.

App context ( three steps flow):

1.       User click “forgot password”, enter email and click next

2.       User see “enter reset code here” and paste here from email then click next

3.       User enter new password, click “save” and can work with app

 

Link breaks this scenario and adds one more context. And user should open it through browser. How the user can trust it? Its more difficult for the users for this case.

 

I prefer, if EmailTemplateProvider.sendPasswordReset method would have additional configurable OTP parameter. And using my own templates I can send to user OTP, link, or both.

 

 

Discussion starts here: http://lists.jboss.org/pipermail/keycloak-dev/2015-August/005092.html

 

Nekrasov Aleksander,

Developer,

Center of Financial Techologies