Re: [keycloak-user] Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak

Hi, In this url: http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.ht... , it says: "This form *WILL NOT* re-ask the user to enter in an email or username if the previous email or username did not exist. You need to prevent attackers from being able to guess valid users. So, if AuthenticationFlowContext.getUser() returns null, you should proceed with the flow to make it look like a valid user was selected." And I totally agree with that, but it doesn't apply to all cases unfortunately. If the admin enables "User registration", the user registration form will tell the a possible malicious guy if the email combinations she's trying already exists, invalidating what the above paragraph says. And I don't think there's a way to do the same as in the "forgot password" feature with the registration form, because after registration, there's an autologin. Actually it's confusing for users telling them an email was sent event if it's not... People sometimes can forget that they're not registered in the Keycloak system, so the "forgot password" feature as it is today will make them wait forever. At least, sending them an email telling them "You're not registered. You can register visiting this link." if "User registration" is enabled or "Ask your admin to register your email in the system" if it's not, would be definitely better. Thanks. -- *Tomás García Pérez * *Software Developer* *IntraHouse* _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user