----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
Sent: Sunday, 16 August, 2015 1:15:17 AM
Subject: [keycloak-dev] refactoring reset password
I'm refactoring reset password. I'll be adding a pluggable
"reset-credentials" flow so that users can add things like answering
secret questions before they are sent the email. They will also be able
to remove/disable sending an email and implement their own mechanism,
Our old implementation would just reset the user's password, they would
then have to click back to application and restart the login process.
With flows, I can log the user in. Isn't that a better approach?
That's incorrect, the old flow would login the user if the reset password link was
opened in the same browser session as the flow was initiated from.
The only issue with automatic login is OTP. What should be the default
behavior be here?:
1) If OTP is set up for the user or if required by realm, automatically
set the OTP required action.
2) If OTP is set up for the user and not required by realm, disable
their OTP, let them log in.
3) If OTP is set up for the user or if required by realm, don't
automatically set the OTP required action, let the user login after
4) If OTP is set up for the user or required by realm, don't set OTP
required action, after successful email, require them to enter in the otp
I think the default behavior should be #1. Without coding, users would
still be able to configure any option above in the admin console by
adding various authenticators to the flow.
I'm not following - in #1 are users required to re-configure OTP?
JBoss, a division of Red Hat
keycloak-dev mailing list