2-3 days for email verification seems OK to me, but I wouldn't do that for password resets. So I think you need to request a feature to be able to configure those independently.

On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan@redhat.com> wrote:

Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK.

I’m thinking about security implications.

Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication?

Thanks,

Libor Krzyžanek
jboss.org Development Team

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user