From the technical point of view I don't like the idea of adding a
special case that lets you set the admin password. Not just because of the additional
work, but also as it adds a possible security hole. There are also situations where
someone may set a more secure admin password on an initial installation prior to handing
over to an admin, in which case there will be a password set, but the admin will be
required to set the password. What we have covers both those use cases, as well as the use
cases for when a password is required to be changed (suspected attack, expired password,
etc).
On the other side, with regards to usability, I believe any user or admin of Keycloak are
likely to experience the "update password" page, and may so several times while
using Keycloak. This page will be displayed after the user has logged in with
username/password (and optionally totp). I agree that this can be confusing, especially as
it has the exact same layout as the login screen and only text changes. If we can find a
solution to making this page more obvious to users that would also sufficiently solve the
first login case in my opinion.
By the way the last attachment doesn't work as the screen should be displayed after
the user has logged in, and hence not require the user to enter a username.
----- Original Message -----
From: "Gabriel Cardoso" <gcardoso(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, 19 May, 2014 6:58:18 PM
Subject: Re: [keycloak-dev] Issues with the first login flow
From the technical side, it requires a special logic. For the user, the login
screen in the first access is a useless step. But I understand that you
might want to prioritise other things that must be done.
That said, how about a page like this to update the password? It is easier to
recognise and it would work both in the first login and when the account
status is changed.
https://dl.dropboxusercontent.com/u/2730435/password2.png
On May 19, 2014, at 12:30 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
> I don't like that solution as it requires special logic in the server to
> handle the first login.
>
> I would much rather we improve the screen where a user is required to reset
> the password.
>
> ----- Original Message -----
>> From: "Gabriel Cardoso" <gcardoso(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 19 May, 2014 4:24:33 PM
>> Subject: Re: [keycloak-dev] Issues with the first login flow
>>
>> In my proposal it would have the same style as the login page, but the
>> paragraph + inputs would create this visual differentiation to call the
>> user’s attention.
>>
>> Can’t we have something like the wireframe, Stian?
>>
>>
>> On May 19, 2014, at 5:25 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
>>
>>> I don't think we should have a separate update password page, but
instead
>>> make the generic "you need to update your password" page more
obvious.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Saturday, 17 May, 2014 7:33:44 PM
>>>> Subject: Re: [keycloak-dev] Issues with the first login flow
>>>>
>>>>
>>>>
>>>> On 5/16/2014 1:56 PM, Gabriel Cardoso wrote:
>>>>>
>>>>> "for some reason, I didn't see that the form has changed
and not asking
>>>>> for my username/password anymore but new password/confirmation of
>>>>> password
>>>>> I lost a bit of time as I was wondering where to change the
password
>>>>> (it
>>>>> was just in front of me really…)”
>>>>>
>>>>
>>>> I have hit this a few time myself! I think the update password page
>>>> needs to look different than the login page.
>>>>
>>>>
>>>>
>>>>> I don’t see a reason for having the login page for the first login.
>>>>> Instead, we could have only the page to update the password, like
>>>>> suggested in this wireframe:
>>>>>
https://issues.jboss.org/secure/attachment/12379916/1%20Update%20Password...
>>>>> <
https://issues.jboss.org/secure/attachment/12379916/1 Update
>>>>> Password.png>
>>>>>
>>>>> Is this something managed by Keycloak? Is it possible to make this
>>>>> change?
>>>>>
>>>>
>>>> Welll, you would get this update password page if your account status
>>>> was changed too.
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>>
http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> ---
>> Gabriel Cardoso
>> User Experience Designer @ Red Hat
>>
>>
---
Gabriel Cardoso
User Experience Designer @ Red Hat