Re: [keycloak-user] Issues with password reset link expiration

I think this may have been fixed in 1.9 with the flow changes I made. I don't have time to try it out right now though. On 2/10/2016 8:58 AM, Stian Thorgersen wrote: It's not about the error message though. It should be possible to open the link multiple times as long as the form is not submitted. On 10 February 2016 at 14:53, Bill Burke <bburke(a)redhat.com&gt; wrote: > We changed the "error" message in I think 1.9? Maybe 1.8 to say "You > clicked on a stale link. Maybe you have already verified your email?" > I'll look into improving this I guess. > > > On 2/10/2016 4:21 AM, Stian Thorgersen wrote: > > It should be possible to open the link multiple times, but only submit > the password reset once. If that's not the case (sounds like it is) feel > free to create a JIRA issue to report this as a bug. > > On 10 February 2016 at 05:24, Michael Anthon < > <michael.anthon@infoview.com.au&gt;michael.anthon(a)infoview.com.au&gt; wrote: > >> We are having issues with some users when they are attempting to use the >> password reset feature. It does work for most users however for some they >> always end up at an error page saying "WE'RE SORRY ... An error occurred, >> please login again through your application" >> >> What I have been able to determine so far is that for the affected users >> we are seeing a double hit on that URL in the server logs and from what I >> understand, these reset URLs are invalidated as soon as they are accessed. >> >> So here's the state of play >> * works for most users >> * some users hitting the reset URL twice >> * URL is only valid for the first access (I'm not 100% sure about this, >> can someone confirm please?) >> * URL is only valid for 30 minutes (but is being accessed within a few >> minutes of generation) >> * affected users are mostly using Outlook >> * some people tend to double click links in emails but I've verified >> with a reliable user that they are only clicking the link once >> * having the affected person send themselves another reset email and >> then copy and paste the URL from the mail client usually resolves this >> problem >> >> And questions >> * is this an issue anyone else has noticed with Outlook, doesn't affect >> ALL Outlook users, just some >> * is there a way to prevent the URL from being invalidated on initial >> access >> * is it feasible to change the behavior so that the URL is only >> invalidated when the password is changed >> * any other thoughts on how to avoid this issue? >> >> Thanks and Regards, >> >> Michael Anthon >> InfoView Technologies Pty Ltd >> 12/15 Adelaide St, Brisbane Qld 4000 >> P O Box 15478, City East, Brisbane Qld 4000 >> PH: +61 7 3014 2204 <%2B61%207%203014%202204> >> F: +61 7 3014 2200 <%2B61%207%203014%202200> >> M: +61 408 768 055 <%2B61%20408%20768%20055> >> michael.anthon(a)infoview.com.au >> >> The information transmitted is intended only for the person or entity to >> which it is addressed and may contain confidential and/or privileged >> material. Any review, retransmission, dissemination or other use of, or >> taking of any action in reliance upon, this information by persons or >> entities other than the intended recipient is prohibited. If you received >> this in error, please contact the sender and delete the material from any >> computer. Any views or opinions expressed in this email are solely those of >> the author and do not necessarily represent those of InfoView Technologies >> Pty Ltd. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hathttp://bill.burkecentral.com