I guess it's added as an additional security check. This would be applicable to all
I propose in ClientSessionCode#getAction we create a new key and set it on the
ClientSession. Then we add the key to the signature part of the code. This would make each
code more unique and harder to generate, while at the same time we could remove the key
query param for emails.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Tuesday, 21 October, 2014 9:08:56 AM
Subject: [keycloak-dev] key and code in emails
Why is there a key as well as the code query params in links sent in emails?
keycloak-dev mailing list