----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 31 August, 2015 4:09:54 PM
Subject: Re: [keycloak-dev] refactored admin reset email and required actions
On 8/31/2015 7:06 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Saturday, 22 August, 2015 3:31:56 AM
>> Subject: [keycloak-dev] refactored admin reset email and required actions
>>
>> Admin console can send a reset password email to the user. Originally
>> it just executed update password. I changed this so that it sets an
>> Update Password required action on the User. The email link click runs
>> all required actions set for the user, then displays a message that the
>> Account has been updated.
>
> The admin console could do either - set a password (and choose if it was
> temporary or not) as well as send a reset password link
>
Admin console can still manually set the password (temporary or not).
>>
>> When I get back, I'm also going to change the admin console behavior and
>> look too. Instead of a "Reset Password Email" button on Credentials
>> tab, there will be a button next to the Required Actions selection box
>> on user detail, something like "Email Required Actions" (I need a
>> better name). Clicking on this button will send an email to user
>
> This isn't the correct approach IMO. What we used to have was the ability
> for an admin to send an email to a user to allow the user to recover the
> password. It wasn't a required action, just something the user could do if
> they needed to. I think how it worked before was much clearer to end
> users, also credentials tab is the correct place for "recovering
> password".
>
I'll repeat myself. There may be more than one credential the
admin/user needs/wants to reset. These credentials may also be custom
ones written by an system integrator. I don't want to introduce yet
another SPI for credential recovery when it would work exactly the same
way as required actions. Now, there is one place the admin can email
the user to perform any specific action.
Recovering credentials is not a required action. It's an optional action the user may
do, but the user should also be allowed to not do it. Also, it belongs on the credentials
tab. I'm fairly sure no one is going to find it otherwise.
It doesn't have to be yet another SPI, but maybe we could add a type enum or something
to the current SPI. Also, we could add support for optional actions?
If you want to create a separate SPI and way of doing this to support
reset of more than just password, feel free to create that SPI, extend
the Model API, write the tests, update the docs and create new examples
and make sure the flow is configurable. I think this approach is fine.
I know we have a lot of work to do, but usability has to always be considered. One of the
main reasons I was interested in Keycloak was to create something that would make security
easier for users, admins and developers. I feel that if we continue adding and changing
things without considering usability we could just end up with being yet another hard to
use product with all sorts of features.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com