10:23 a.m.
Hi,
I have two proposals for cleanup of 'Change password' screen in Account
app based on my experience with it:
1. remove Cancel button - it has no any meaning on this screen/form, it
only reshowns form with empty fields. And also there is a bug,
"Password" field is hidden when it is used, which makes whole form unusable.
2. remove validation of current password (remove "Password" field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using this screen
After we implement support for reauthentication (KEYCLOAK-2076) then we
should set some reasonable reauth timeout for Account app instead, this
will make it more secure at all.
If you agree then I can create JIRA issue for this and provide PR.
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
11:05 a.m.
Hi!
On Fri, Nov 27, 2015 at 11:23 AM, Vlastimil Elias <velias(a)redhat.com> wrote:
2. remove validation of current password (remove "Password"
field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using this screen
After we implement support for reauthentication (KEYCLOAK-2076) then we
should set some reasonable reauth timeout for Account app instead, this
will make it more secure at all.
Wouldn't it make more sense to add password validation when changing email?
Best regards,
Thomas
11:16 a.m.
Hi Thomas,
On 27.11.2015 11:05, Thomas Raehalme wrote:
Hi!
On Fri, Nov 27, 2015 at 11:23 AM, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
2. remove validation of current password (remove "Password"
field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using
this screen
After we implement support for reauthentication (KEYCLOAK-2076)
then we
should set some reasonable reauth timeout for Account app instead,
this
will make it more secure at all.
Wouldn't it make more sense to add password validation when changing
email?
Yes, this is why I write about use of general reauthentication mechanism
as defined in KEYCLOAK-2076 for whole Account app.
It will work even for other authentication types - some keycloak
instances may be configured not to use passwords at all.
Vl
Best regards,
Thomas
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
11:14 a.m.
On 27/11/15 10:23, Vlastimil Elias wrote:
Hi,
I have two proposals for cleanup of 'Change password' screen in Account
app based on my experience with it:
1. remove Cancel button - it has no any meaning on this screen/form, it
only reshowns form with empty fields. And also there is a bug,
"Password" field is hidden when it is used, which makes whole form unusable.
2. remove validation of current password (remove "Password" field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using this screen
After we implement support for reauthentication (KEYCLOAK-2076) then we
should set some reasonable reauth timeout for Account app instead, this
will make it more secure at all.
Hmm... AFAIK if user doesn't have password
set, he is already not
required to fill the existing password. That is the case when he is
registered through some social/identity providers. See PasswordBean class.
Btv. with new firstBrokerLogin changes, there is also flag
"requirePasswordUpdateAfterRegistration" on CreateUserIfUnique
authenticator. So now you can ask users registered through social to
update the password immediately after they are registered through social
provider :-)
Marek
If you agree then I can create JIRA issue for this and provide PR.
Vlastimil
11:45 a.m.
On 27 November 2015 at 10:23, Vlastimil Elias <velias(a)redhat.com> wrote:
Hi,
I have two proposals for cleanup of 'Change password' screen in Account
app based on my experience with it:
1. remove Cancel button - it has no any meaning on this screen/form, it
only reshowns form with empty fields. And also there is a bug,
"Password" field is hidden when it is used, which makes whole form
unusable.
+1
2. remove validation of current password (remove "Password" field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using this screen
After we implement support for reauthentication (KEYCLOAK-2076) then we
should set some reasonable reauth timeout for Account app instead, this
will make it more secure at all.
-1 Reset password over email may not be enabled at all. We already allow
setting password for IdPs login without requiring the existing password.
+1 To suggestion from Thomas - we should ask for password when updating
email at least when recover password over email is enabled.
It seems to be common practice to ask for current password when updating
the existing password.
If you agree then I can create JIRA issue for this and provide PR.
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:46 a.m.
+1 To setting re-auth after a configurable time for both admin console and
account mngmt. I still think we should ask for password though.
On 27 November 2015 at 11:45, Stian Thorgersen <sthorger(a)redhat.com> wrote:
On 27 November 2015 at 10:23, Vlastimil Elias <velias(a)redhat.com> wrote:
> Hi,
>
> I have two proposals for cleanup of 'Change password' screen in Account
> app based on my experience with it:
>
> 1. remove Cancel button - it has no any meaning on this screen/form, it
> only reshowns form with empty fields. And also there is a bug,
> "Password" field is hidden when it is used, which makes whole form
> unusable.
>
+1
>
> 2. remove validation of current password (remove "Password" field). Two
> reasons for this:
> - security impact of this check is small. If attacker is able to
> compromise Account app then he can always change email and then use
> "Forgot password" feature to change password
> - user created over Identity Provider do not know old password
> (because it is not set) so he is not able to set password using this
> screen
> After we implement support for reauthentication (KEYCLOAK-2076) then we
> should set some reasonable reauth timeout for Account app instead, this
> will make it more secure at all.
>
-1 Reset password over email may not be enabled at all. We already allow
setting password for IdPs login without requiring the existing password.
+1 To suggestion from Thomas - we should ask for password when updating
email at least when recover password over email is enabled.
It seems to be common practice to ask for current password when updating
the existing password.
>
> If you agree then I can create JIRA issue for this and provide PR.
>
> Vlastimil
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
11:47 a.m.
Please add suggestions to improve account management to
https://issues.jboss.org/browse/KEYCLOAK-1250. We're hoping to completely
rework the account management console as it's not very nice nor user
friendly at the moment.
On 27 November 2015 at 11:46, Stian Thorgersen <sthorger(a)redhat.com> wrote:
+1 To setting re-auth after a configurable time for both admin
console and
account mngmt. I still think we should ask for password though.
On 27 November 2015 at 11:45, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>
> On 27 November 2015 at 10:23, Vlastimil Elias <velias(a)redhat.com> wrote:
>
>> Hi,
>>
>> I have two proposals for cleanup of 'Change password' screen in Account
>> app based on my experience with it:
>>
>> 1. remove Cancel button - it has no any meaning on this screen/form, it
>> only reshowns form with empty fields. And also there is a bug,
>> "Password" field is hidden when it is used, which makes whole form
>> unusable.
>>
>
> +1
>
>
>>
>> 2. remove validation of current password (remove "Password" field).
Two
>> reasons for this:
>> - security impact of this check is small. If attacker is able to
>> compromise Account app then he can always change email and then use
>> "Forgot password" feature to change password
>> - user created over Identity Provider do not know old password
>> (because it is not set) so he is not able to set password using this
>> screen
>> After we implement support for reauthentication (KEYCLOAK-2076) then we
>> should set some reasonable reauth timeout for Account app instead, this
>> will make it more secure at all.
>>
>
> -1 Reset password over email may not be enabled at all. We already allow
> setting password for IdPs login without requiring the existing password.
>
> +1 To suggestion from Thomas - we should ask for password when updating
> email at least when recover password over email is enabled.
>
> It seems to be common practice to ask for current password when updating
> the existing password.
>
>
>>
>> If you agree then I can create JIRA issue for this and provide PR.
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
12:16 p.m.
Hi,
On 27.11.2015 11:45, Stian Thorgersen wrote:
On 27 November 2015 at 10:23, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
Hi,
I have two proposals for cleanup of 'Change password' screen in
Account
app based on my experience with it:
1. remove Cancel button - it has no any meaning on this
screen/form, it
only reshowns form with empty fields. And also there is a bug,
"Password" field is hidden when it is used, which makes whole form
unusable.
+1
OK, I'm going to create JIRA and provide PR for this.
2. remove validation of current password (remove "Password"
field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using
this screen
After we implement support for reauthentication (KEYCLOAK-2076)
then we
should set some reasonable reauth timeout for Account app instead,
this
will make it more secure at all.
-1 Reset password over email may not be enabled at all. We already
allow setting password for IdPs login without requiring the existing
password.
Fair enough
+1 To suggestion from Thomas - we should ask for password when
updating email at least when recover password over email is enabled.
Makes sense, but what to do if user has no password set at this point?
Don't ask him, or reauthenticate him by other available mechanism?
And there are also other "dangerous" operations in Account app. Eg.
attacker who gains access to it can disable OTP without any recheck.
This should be protected too.
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow specifically in
the app, or resolve this generally as part of KEYCLOAK-2076.
Vlastimil
It seems to be common practice to ask for current password when
updating the existing password.
If you agree then I can create JIRA issue for this and provide PR.
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
12:28 p.m.
On 27 November 2015 at 12:16, Vlastimil Elias <velias(a)redhat.com> wrote:
Hi,
On 27.11.2015 11:45, Stian Thorgersen wrote:
On 27 November 2015 at 10:23, Vlastimil Elias < <velias(a)redhat.com>
velias(a)redhat.com> wrote:
> Hi,
>
> I have two proposals for cleanup of 'Change password' screen in Account
> app based on my experience with it:
>
> 1. remove Cancel button - it has no any meaning on this screen/form, it
> only reshowns form with empty fields. And also there is a bug,
> "Password" field is hidden when it is used, which makes whole form
> unusable.
>
+1
OK, I'm going to create JIRA and provide PR for this.
>
> 2. remove validation of current password (remove "Password" field). Two
> reasons for this:
> - security impact of this check is small. If attacker is able to
> compromise Account app then he can always change email and then use
> "Forgot password" feature to change password
> - user created over Identity Provider do not know old password
> (because it is not set) so he is not able to set password using this
> screen
> After we implement support for reauthentication (KEYCLOAK-2076) then we
> should set some reasonable reauth timeout for Account app instead, this
> will make it more secure at all.
>
-1 Reset password over email may not be enabled at all. We already allow
setting password for IdPs login without requiring the existing password.
Fair enough
+1 To suggestion from Thomas - we should ask for password when updating
email at least when recover password over email is enabled.
Makes sense, but what to do if user has no password set at this point?
Don't ask him, or reauthenticate him by other available mechanism?
And there are also other "dangerous" operations in Account app. Eg.
attacker who gains access to it can disable OTP without any recheck. This
should be protected too.
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow specifically in the
app, or resolve this generally as part of KEYCLOAK-2076.
Yep, you're right there's other dangerous operations as well.
Re-authentication sounds like the correct approach, rather than requesting
the password again. We could have two configurable timeouts in account
management console. One that requires re-auth for anything (~30 min
default), and another that requires re-auth for sensitive operations (~5
min).
One thing with re-auth is that if it happens when a user submits a form,
you then someone have to also remember the values of the form. Currently
account management is stateless.
Vlastimil
It seems to be common practice to ask for current password when updating
the existing password.
>
> If you agree then I can create JIRA issue for this and provide PR.
>
> Vlastimil
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
1:22 p.m.
On 27.11.2015 12:28, Stian Thorgersen wrote:
On 27 November 2015 at 12:16, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
Hi,
On 27.11.2015 11:45, Stian Thorgersen wrote:
>
>
> On 27 November 2015 at 10:23, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Hi,
>
> I have two proposals for cleanup of 'Change password' screen
> in Account
> app based on my experience with it:
>
> 1. remove Cancel button - it has no any meaning on this
> screen/form, it
> only reshowns form with empty fields. And also there is a bug,
> "Password" field is hidden when it is used, which makes whole
> form unusable.
>
>
> +1
OK, I'm going to create JIRA and provide PR for this.
>
>
>
> 2. remove validation of current password (remove "Password"
> field). Two
> reasons for this:
> - security impact of this check is small. If attacker is
> able to
> compromise Account app then he can always change email and
> then use
> "Forgot password" feature to change password
> - user created over Identity Provider do not know old password
> (because it is not set) so he is not able to set password
> using this screen
> After we implement support for reauthentication
> (KEYCLOAK-2076) then we
> should set some reasonable reauth timeout for Account app
> instead, this
> will make it more secure at all.
>
>
> -1 Reset password over email may not be enabled at all. We
> already allow setting password for IdPs login without requiring
> the existing password.
Fair enough
>
> +1 To suggestion from Thomas - we should ask for password when
> updating email at least when recover password over email is enabled.
Makes sense, but what to do if user has no password set at this
point? Don't ask him, or reauthenticate him by other available
mechanism?
And there are also other "dangerous" operations in Account app.
Eg. attacker who gains access to it can disable OTP without any
recheck. This should be protected too.
I believe whole Account app should be correctly protected by
reauthentications. Question is if implement it somehow
specifically in the app, or resolve this generally as part of
KEYCLOAK-2076.
Yep, you're right there's other dangerous operations as well.
Re-authentication sounds like the correct approach, rather than
requesting the password again. We could have two configurable timeouts
in account management console. One that requires re-auth for anything
(~30 min default), and another that requires re-auth for sensitive
operations (~5 min).
One thing with re-auth is that if it happens when a user submits a
form, you then someone have to also remember the values of the form.
Currently account management is stateless.
Yep, implementing reauthentication schemes correctly in client apps may
be tricky, mainly for POST requests (and even worse posts with file
upload) and AJAX call handlers etc.
Beside Keycloak Account app we should try to provide reasonable support
in Keycloak adapters, but it may be tricky as related Java EE
specifications (JAAS subsystems, auth related things in Java Servlet and
EJB spec ) do not count with these more complicated schemes too much.
And I also thought if reauthentication scheme should be somehow
implemented on REST API levels also.
Eg. some REST endpoint operation will define that it needs reauth with
some timeout. If client app call it with Bearer token then it should be
able to tests last auth timestamp (which should be possible as it may be
in the token as claim) and propagate back info that it needs reauth (how
to map this to HTTP?). Support for this should be added to the framework
like RestEasy then.
Vl.
Vlastimil
>
> It seems to be common practice to ask for current password when
> updating the existing password.
>
>
>
> If you agree then I can create JIRA issue for this and
> provide PR.
>
> Vlastimil
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
1:25 p.m.
Hmm.. re-auth request for rest endpoints is even more tricky. I think a
rest endpoint would just have to return a 401? Then it's up to the client
to figure out that it needs to re-authenticate.
On 27 November 2015 at 13:22, Vlastimil Elias <velias(a)redhat.com> wrote:
On 27.11.2015 12:28, Stian Thorgersen wrote:
On 27 November 2015 at 12:16, Vlastimil Elias < <velias(a)redhat.com>
velias(a)redhat.com> wrote:
> Hi,
>
> On 27.11.2015 11:45, Stian Thorgersen wrote:
>
>
>
> On 27 November 2015 at 10:23, Vlastimil Elias < <velias(a)redhat.com>
> velias(a)redhat.com> wrote:
>
>> Hi,
>>
>> I have two proposals for cleanup of 'Change password' screen in Account
>> app based on my experience with it:
>>
>> 1. remove Cancel button - it has no any meaning on this screen/form, it
>> only reshowns form with empty fields. And also there is a bug,
>> "Password" field is hidden when it is used, which makes whole form
>> unusable.
>>
>
> +1
>
>
> OK, I'm going to create JIRA and provide PR for this.
>
>
>
>>
>> 2. remove validation of current password (remove "Password" field).
Two
>> reasons for this:
>> - security impact of this check is small. If attacker is able to
>> compromise Account app then he can always change email and then use
>> "Forgot password" feature to change password
>> - user created over Identity Provider do not know old password
>> (because it is not set) so he is not able to set password using this
>> screen
>> After we implement support for reauthentication (KEYCLOAK-2076) then we
>> should set some reasonable reauth timeout for Account app instead, this
>> will make it more secure at all.
>>
>
> -1 Reset password over email may not be enabled at all. We already allow
> setting password for IdPs login without requiring the existing password.
>
> Fair enough
>
>
> +1 To suggestion from Thomas - we should ask for password when updating
> email at least when recover password over email is enabled.
>
>
> Makes sense, but what to do if user has no password set at this point?
> Don't ask him, or reauthenticate him by other available mechanism?
>
> And there are also other "dangerous" operations in Account app. Eg.
> attacker who gains access to it can disable OTP without any recheck. This
> should be protected too.
> I believe whole Account app should be correctly protected by
> reauthentications. Question is if implement it somehow specifically in the
> app, or resolve this generally as part of KEYCLOAK-2076.
>
Yep, you're right there's other dangerous operations as well.
Re-authentication sounds like the correct approach, rather than requesting
the password again. We could have two configurable timeouts in account
management console. One that requires re-auth for anything (~30 min
default), and another that requires re-auth for sensitive operations (~5
min).
One thing with re-auth is that if it happens when a user submits a form,
you then someone have to also remember the values of the form. Currently
account management is stateless.
Yep, implementing reauthentication schemes correctly in client apps may be
tricky, mainly for POST requests (and even worse posts with file upload)
and AJAX call handlers etc.
Beside Keycloak Account app we should try to provide reasonable support in
Keycloak adapters, but it may be tricky as related Java EE specifications
(JAAS subsystems, auth related things in Java Servlet and EJB spec ) do not
count with these more complicated schemes too much.
And I also thought if reauthentication scheme should be somehow
implemented on REST API levels also.
Eg. some REST endpoint operation will define that it needs reauth with
some timeout. If client app call it with Bearer token then it should be
able to tests last auth timestamp (which should be possible as it may be in
the token as claim) and propagate back info that it needs reauth (how to
map this to HTTP?). Support for this should be added to the framework like
RestEasy then.
Vl.
>
>
> Vlastimil
>
>
> It seems to be common practice to ask for current password when updating
> the existing password.
>
>
>>
>> If you agree then I can create JIRA issue for this and provide PR.
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
1:30 p.m.
On 27.11.2015 13:25, Stian Thorgersen wrote:
Hmm.. re-auth request for rest endpoints is even more tricky. I
think
a rest endpoint would just have to return a 401? Then it's up to the
client to figure out that it needs to re-authenticate.
Yep, 401 matches best probably, but at least hint in some response
header should be cool, probably in WWW-Authenticate as it is mandatory
for 401 ;-) But this is the future, proper Keycloak server support is
necessary first ;-)
Vl.
On 27 November 2015 at 13:22, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
On 27.11.2015 12:28, Stian Thorgersen wrote:
>
>
> On 27 November 2015 at 12:16, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Hi,
>
> On 27.11.2015 11:45, Stian Thorgersen wrote:
>>
>>
>> On 27 November 2015 at 10:23, Vlastimil Elias
>> <velias(a)redhat.com <mailto:velias@redhat.com>> wrote:
>>
>> Hi,
>>
>> I have two proposals for cleanup of 'Change password'
>> screen in Account
>> app based on my experience with it:
>>
>> 1. remove Cancel button - it has no any meaning on this
>> screen/form, it
>> only reshowns form with empty fields. And also there is
>> a bug,
>> "Password" field is hidden when it is used, which makes
>> whole form unusable.
>>
>>
>> +1
>
> OK, I'm going to create JIRA and provide PR for this.
>
>>
>>
>>
>> 2. remove validation of current password (remove
>> "Password" field). Two
>> reasons for this:
>> - security impact of this check is small. If attacker
>> is able to
>> compromise Account app then he can always change email
>> and then use
>> "Forgot password" feature to change password
>> - user created over Identity Provider do not know old
>> password
>> (because it is not set) so he is not able to set
>> password using this screen
>> After we implement support for reauthentication
>> (KEYCLOAK-2076) then we
>> should set some reasonable reauth timeout for Account
>> app instead, this
>> will make it more secure at all.
>>
>>
>> -1 Reset password over email may not be enabled at all. We
>> already allow setting password for IdPs login without
>> requiring the existing password.
> Fair enough
>>
>> +1 To suggestion from Thomas - we should ask for password
>> when updating email at least when recover password over
>> email is enabled.
>
> Makes sense, but what to do if user has no password set at
> this point? Don't ask him, or reauthenticate him by other
> available mechanism?
>
> And there are also other "dangerous" operations in Account
> app. Eg. attacker who gains access to it can disable OTP
> without any recheck. This should be protected too.
> I believe whole Account app should be correctly protected by
> reauthentications. Question is if implement it somehow
> specifically in the app, or resolve this generally as part of
> KEYCLOAK-2076.
>
>
> Yep, you're right there's other dangerous operations as well.
> Re-authentication sounds like the correct approach, rather than
> requesting the password again. We could have two configurable
> timeouts in account management console. One that requires re-auth
> for anything (~30 min default), and another that requires re-auth
> for sensitive operations (~5 min).
>
> One thing with re-auth is that if it happens when a user submits
> a form, you then someone have to also remember the values of the
> form. Currently account management is stateless.
Yep, implementing reauthentication schemes correctly in client
apps may be tricky, mainly for POST requests (and even worse posts
with file upload) and AJAX call handlers etc.
Beside Keycloak Account app we should try to provide reasonable
support in Keycloak adapters, but it may be tricky as related Java
EE specifications (JAAS subsystems, auth related things in Java
Servlet and EJB spec ) do not count with these more complicated
schemes too much.
And I also thought if reauthentication scheme should be somehow
implemented on REST API levels also.
Eg. some REST endpoint operation will define that it needs reauth
with some timeout. If client app call it with Bearer token then it
should be able to tests last auth timestamp (which should be
possible as it may be in the token as claim) and propagate back
info that it needs reauth (how to map this to HTTP?). Support for
this should be added to the framework like RestEasy then.
Vl.
>
>
>
>
> Vlastimil
>
>>
>> It seems to be common practice to ask for current password
>> when updating the existing password.
>>
>>
>>
>> If you agree then I can create JIRA issue for this and
>> provide PR.
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> <mailto:keycloak-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
4:13 p.m.
Why would you need re-auth for REST or even browser clients? Doesn't
access token and refresh token timeouts handle this sort of thing?
On 11/27/2015 7:25 AM, Stian Thorgersen wrote:
Hmm.. re-auth request for rest endpoints is even more tricky. I think
a
rest endpoint would just have to return a 401? Then it's up to the
client to figure out that it needs to re-authenticate.
On 27 November 2015 at 13:22, Vlastimil Elias <velias(a)redhat.com
<mailto:velias@redhat.com>> wrote:
On 27.11.2015 12:28, Stian Thorgersen wrote:
>
>
> On 27 November 2015 at 12:16, Vlastimil Elias
> <<mailto:velias@redhat.com>velias@redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Hi,
>
> On 27.11.2015 11:45, Stian Thorgersen wrote:
>>
>>
>> On 27 November 2015 at 10:23, Vlastimil Elias
>> <<mailto:velias@redhat.com>velias@redhat.com
>> <mailto:velias@redhat.com>> wrote:
>>
>> Hi,
>>
>> I have two proposals for cleanup of 'Change password'
>> screen in Account
>> app based on my experience with it:
>>
>> 1. remove Cancel button - it has no any meaning on this
>> screen/form, it
>> only reshowns form with empty fields. And also there is a
>> bug,
>> "Password" field is hidden when it is used, which makes
>> whole form unusable.
>>
>>
>> +1
>
> OK, I'm going to create JIRA and provide PR for this.
>
>>
>> 2. remove validation of current password (remove
>> "Password" field). Two
>> reasons for this:
>> - security impact of this check is small. If attacker
>> is able to
>> compromise Account app then he can always change email
>> and then use
>> "Forgot password" feature to change password
>> - user created over Identity Provider do not know old
>> password
>> (because it is not set) so he is not able to set password
>> using this screen
>> After we implement support for reauthentication
>> (KEYCLOAK-2076) then we
>> should set some reasonable reauth timeout for Account app
>> instead, this
>> will make it more secure at all.
>>
>>
>> -1 Reset password over email may not be enabled at all. We
>> already allow setting password for IdPs login without
>> requiring the existing password.
> Fair enough
>>
>> +1 To suggestion from Thomas - we should ask for password
>> when updating email at least when recover password over email
>> is enabled.
>
> Makes sense, but what to do if user has no password set at
> this point? Don't ask him, or reauthenticate him by other
> available mechanism?
>
> And there are also other "dangerous" operations in Account
> app. Eg. attacker who gains access to it can disable OTP
> without any recheck. This should be protected too.
> I believe whole Account app should be correctly protected by
> reauthentications. Question is if implement it somehow
> specifically in the app, or resolve this generally as part of
> KEYCLOAK-2076.
>
>
> Yep, you're right there's other dangerous operations as well.
> Re-authentication sounds like the correct approach, rather than
> requesting the password again. We could have two configurable
> timeouts in account management console. One that requires re-auth
> for anything (~30 min default), and another that requires re-auth
> for sensitive operations (~5 min).
>
> One thing with re-auth is that if it happens when a user submits a
> form, you then someone have to also remember the values of the
> form. Currently account management is stateless.
Yep, implementing reauthentication schemes correctly in client apps
may be tricky, mainly for POST requests (and even worse posts with
file upload) and AJAX call handlers etc.
Beside Keycloak Account app we should try to provide reasonable
support in Keycloak adapters, but it may be tricky as related Java
EE specifications (JAAS subsystems, auth related things in Java
Servlet and EJB spec ) do not count with these more complicated
schemes too much.
And I also thought if reauthentication scheme should be somehow
implemented on REST API levels also.
Eg. some REST endpoint operation will define that it needs reauth
with some timeout. If client app call it with Bearer token then it
should be able to tests last auth timestamp (which should be
possible as it may be in the token as claim) and propagate back info
that it needs reauth (how to map this to HTTP?). Support for this
should be added to the framework like RestEasy then.
Vl.
>
>
> Vlastimil
>
>>
>> It seems to be common practice to ask for current password
>> when updating the existing password.
>>
>>
>> If you agree then I can create JIRA issue for this and
>> provide PR.
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> <mailto:keycloak-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:19 p.m.
I guess at least the re-auth part is logic that belongs in the client that
performs the login.
Question though for authentication levels as well as authentication timeout
(or whatever you call it) shouldn't a rest service be able to say things
like I require the user to have authenticated with password + otp, and to
have authenticated within N minutes?
On 27 November 2015 at 16:13, Bill Burke <bburke(a)redhat.com> wrote:
Why would you need re-auth for REST or even browser clients?
Doesn't
access token and refresh token timeouts handle this sort of thing?
On 11/27/2015 7:25 AM, Stian Thorgersen wrote:
> Hmm.. re-auth request for rest endpoints is even more tricky. I think a
> rest endpoint would just have to return a 401? Then it's up to the
> client to figure out that it needs to re-authenticate.
>
> On 27 November 2015 at 13:22, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
>
>
> On 27.11.2015 12:28, Stian Thorgersen wrote:
>>
>>
>> On 27 November 2015 at 12:16, Vlastimil Elias
>> <<mailto:velias@redhat.com>velias@redhat.com
>> <mailto:velias@redhat.com>> wrote:
>>
>> Hi,
>>
>> On 27.11.2015 11:45, Stian Thorgersen wrote:
>>>
>>>
>>> On 27 November 2015 at 10:23, Vlastimil Elias
>>> <<mailto:velias@redhat.com>velias@redhat.com
>>> <mailto:velias@redhat.com>> wrote:
>>>
>>> Hi,
>>>
>>> I have two proposals for cleanup of 'Change password'
>>> screen in Account
>>> app based on my experience with it:
>>>
>>> 1. remove Cancel button - it has no any meaning on this
>>> screen/form, it
>>> only reshowns form with empty fields. And also there is a
>>> bug,
>>> "Password" field is hidden when it is used, which
makes
>>> whole form unusable.
>>>
>>>
>>> +1
>>
>> OK, I'm going to create JIRA and provide PR for this.
>>
>>>
>>> 2. remove validation of current password (remove
>>> "Password" field). Two
>>> reasons for this:
>>> - security impact of this check is small. If attacker
>>> is able to
>>> compromise Account app then he can always change email
>>> and then use
>>> "Forgot password" feature to change password
>>> - user created over Identity Provider do not know old
>>> password
>>> (because it is not set) so he is not able to set password
>>> using this screen
>>> After we implement support for reauthentication
>>> (KEYCLOAK-2076) then we
>>> should set some reasonable reauth timeout for Account app
>>> instead, this
>>> will make it more secure at all.
>>>
>>>
>>> -1 Reset password over email may not be enabled at all. We
>>> already allow setting password for IdPs login without
>>> requiring the existing password.
>> Fair enough
>>>
>>> +1 To suggestion from Thomas - we should ask for password
>>> when updating email at least when recover password over email
>>> is enabled.
>>
>> Makes sense, but what to do if user has no password set at
>> this point? Don't ask him, or reauthenticate him by other
>> available mechanism?
>>
>> And there are also other "dangerous" operations in Account
>> app. Eg. attacker who gains access to it can disable OTP
>> without any recheck. This should be protected too.
>> I believe whole Account app should be correctly protected by
>> reauthentications. Question is if implement it somehow
>> specifically in the app, or resolve this generally as part of
>> KEYCLOAK-2076.
>>
>>
>> Yep, you're right there's other dangerous operations as well.
>> Re-authentication sounds like the correct approach, rather than
>> requesting the password again. We could have two configurable
>> timeouts in account management console. One that requires re-auth
>> for anything (~30 min default), and another that requires re-auth
>> for sensitive operations (~5 min).
>>
>> One thing with re-auth is that if it happens when a user submits a
>> form, you then someone have to also remember the values of the
>> form. Currently account management is stateless.
>
> Yep, implementing reauthentication schemes correctly in client apps
> may be tricky, mainly for POST requests (and even worse posts with
> file upload) and AJAX call handlers etc.
> Beside Keycloak Account app we should try to provide reasonable
> support in Keycloak adapters, but it may be tricky as related Java
> EE specifications (JAAS subsystems, auth related things in Java
> Servlet and EJB spec ) do not count with these more complicated
> schemes too much.
>
> And I also thought if reauthentication scheme should be somehow
> implemented on REST API levels also.
> Eg. some REST endpoint operation will define that it needs reauth
> with some timeout. If client app call it with Bearer token then it
> should be able to tests last auth timestamp (which should be
> possible as it may be in the token as claim) and propagate back info
> that it needs reauth (how to map this to HTTP?). Support for this
> should be added to the framework like RestEasy then.
>
> Vl.
>
>>
>>
>> Vlastimil
>>
>>>
>>> It seems to be common practice to ask for current password
>>> when updating the existing password.
>>>
>>>
>>> If you agree then I can create JIRA issue for this and
>>> provide PR.
>>>
>>> Vlastimil
>>>
>>> --
>>> Vlastimil Elias
>>> Principal Software Engineer
>>> Developer Portal Engineering Team
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> <mailto:keycloak-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:23 p.m.
On 11/27/2015 10:19 AM, Stian Thorgersen wrote:
I guess at least the re-auth part is logic that belongs in the
client
that performs the login.
Question though for authentication levels as well as authentication
timeout (or whatever you call it) shouldn't a rest service be able to
say things like I require the user to have authenticated with password +
otp, and to have authenticated within N minutes?
I think SAML has extensions for that. OIDC doesn't.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3079
days inactive
3079
days old
14 comments
5 participants
participants (5)
-
Bill Burke -
Marek Posolda -
Stian Thorgersen -
Thomas Raehalme -
Vlastimil Elias