Can you elaborate on what the benefits are of these changes? It seems to me that we had
something that was working just fine..
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
Sent: Sunday, 16 August, 2015 11:26:54 PM
Subject: [keycloak-dev] Reset Password changes complete needs review
Here's what I did, I can change things based on questions I asked in
other emails, but here's how it works.
There's now the concept of "reset password" and a different one
* Reset password is something the user initiates. This will start an
Authentication Flow and success will login the user and bring them to
I assume this is still through email - if so it's important that users are only
logged-in if the reset password link is opened in the same user session as they initiated
the reset password flow
* Change password is something initiated by an admin. This just
an email to the user to reset their password and does not start an
I don't understand why there's two different names/concepts here.
Reset Password changes:
* A Temporary Code is included in the Email in addition to a clickable
What's the benefit of a temporary code? Is it not easier for a user to just click the
link? Having both seems like it could confuse users.
* When a user requests to be sent an email, they are brought to a
screen. This screen allows the user to alternatively enter in the code
from the email rather than clicking on a link.
* Temporary codes can only be entered once. If it is entered wrong,
user has to start login process all over again.
* Links can only be clicked once.
* The "Enter code" screen is shown with a success message even if a bad
username or email is entered. This is how it worked before. I'm
guessing this is here to avoid guessing email/usernames?
Change Password changes:
* It is a different email than Reset Password as there is no code
* Should we get rid of the "back to login" links and instead have a
"Cancel" button? This applies to registration
Cancel suggests to me that it would go back to the application. Back to login is more
clear that it goes back to the login screen. A user could have clicked the recover
password link by mistake.
* Should "Enter code" screen show a success even if the
was invalid? Do we need to protect hackers from guessing usernames?
Yes, we should never make it possible to guess/check usernames/emails.
JBoss, a division of Red Hat
keycloak-dev mailing list