On 8/20/2015 10:05 AM, Stian Thorgersen wrote:
If it makes it easier I think sending a recover password link, but
not loging-in the user afterwards is fine.
I implemented it so that after you type in the username for Forgot
Password, it brings you to the login screen with a message "You should
receive an email with instructions to reset your credentials". Clicking
on the link in the email allows you to log in.
I added a fork() method that clones the current ClientSession and resets
it to follow the browser login flow. This is called in the email
authenticator. I couldn't get around introducing another SPI method.
JBoss, a division of Red Hat