Hi Arnault,
I think with no "alternative" to alternate to or a "required" flow at
the
top level, you will not "require" anything other than choosing your user to
gain a session. (You can use "choose a user" in a flow as a way to login
without a password. So at that point in the process the user is logged in,
with a login cookie.)
I suppose you could consider it like this : you haven't completed all the
required steps so the alternative flow hasn't completed yet, so you
shouldn't be logged in. Maybe...
I don't think this is a bug. But it does do the same for me.
This makes me think : If you capture the cookie when using the normal reset
process and replay a session with it and gain access to someone else's
account, that would be a security bug. I might dig into that later if I
have time/energy!
Why would you want all the steps to be an "alternative" to reset
credentials?
You don't even need to try it twice, just enter your email/username and
press submit when you see the "mail sent" message, click back. You're in.
Max
On Tue, 8 Oct 2019 at 16:54, <keycloak-user-request(a)lists.jboss.org> wrote:
From: Arnault BESNARD <Arnault.BESNARD(a)b-com.com>
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Cc:
Bcc:
Date: Tue, 8 Oct 2019 15:41:49 +0000
Subject: [keycloak-user] subflow issue on reset credentials
Hi all,
I got a very strange Keycloak behaviour on reset credentials.
I set my reset credentials flow as follows:
* I created a flow called "subflow" and set it as alternative
Inside my subflow I created 3 execution providers:
* choose user (required)
* send Reset Email (required)
* Reset Password (required)
The authentication flow is the default "browser" flow.
Now, I tried the following scenario:
* On the login page, click on "forgot password"
* Enter a valid email
* A message told you that you should receive an email soon.
* Click again on "forgot password"
* Now, enter any valid user's email belonging to the realm
* Again, a message told you that you should receive an email soon.
* Now click on the browser back button.
* You are connected with the credential belonging to the user's email !
If you create your reset credentials without subform, this scenario
doesn't allow you to connect without the email link.
Before opening a bug case, can someone confirm he has the same behaviour ?
Thanks in advance,
Arnault
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Max Allan
phone +448454681066
email max.allan(a)surevine.com
[image: Surevine 10th Anniversary]
Participate | Collaborate | Innovate
Surevine Limited, registered in England and Wales with number 06726289. PO
Box 1136, Guildford GU1 9ND, UK
If you think you have received this message in error, please notify us.