Done.
https://issues.jboss.org/browse/KEYCLOAK-1576

Thanks!


Am 16.07.2015 um 14:32 schrieb Stian Thorgersen <stian@redhat.com>:

Can you create a JIRA for this please?

----- Original Message -----
From: "Niko Köbler" <niko@n-k.de>
To: "Stian Thorgersen" <stian@redhat.com>
Cc: keycloak-user@lists.jboss.org
Sent: Thursday, 16 July, 2015 2:30:31 PM
Subject: Re: [keycloak-user] Login user action lifespan

sorry, I forgot to mention this step, I actually changed the password (set it
the first time)

In the meantime I tried this loop (click link in mail, change password, log
in) more than 5 times… it still works!


Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian@redhat.com>:



----- Original Message -----
From: "Niko Köbler" <niko@n-k.de>
To: "Stian Thorgersen" <stian@redhat.com>
Cc: keycloak-user@lists.jboss.org
Sent: Thursday, 16 July, 2015 2:24:40 PM
Subject: Re: [keycloak-user] Login user action lifespan

We are still on 1.2.0

Steps to reproduce:
- create a user via Admin API
- trigger to send the password-reset mail via Admin API
- click on the link in the mail to set the password
- try to log in -> works

Have you actually changed the password here, or just log in?

- go back to your mails, click again on the password-reset link in the
mail
- change your password
- try to log in with old password -> doesn’t work
- try to log in with new password -> works
- and so on…



Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian@redhat.com>:

That's definitively not correct behavior. What version are you on? Can
you
give me exact steps to reproduce?

----- Original Message -----
From: "Niko Köbler" <niko@n-k.de>
To: "Stian Thorgersen" <stian@redhat.com>
Cc: keycloak-user@lists.jboss.org
Sent: Thursday, 16 July, 2015 1:58:21 PM
Subject: Re: [keycloak-user] Login user action lifespan

It is valid.
I can change my password again and again…


Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian@redhat.com>:

Does it seem that it is valid, or is it valid? It should only be usable
once.

----- Original Message -----
From: "Niko Köbler" <niko@n-k.de>
To: keycloak-user@lists.jboss.org
Sent: Thursday, 16 July, 2015 1:45:43 PM
Subject: [keycloak-user] Login user action lifespan

Hi,

you can set the „login user action lifespan“ in realm settings for the
time
the link is valid for a user to set a password (or other tasks).
This link seems to be valid and working even if the user has clicked
on
it
and has done the tasks.

Is it possible to configure this link to be valid only once during its
lifespan ? Or at least to be invalid as soon the user has set his
password/done the login actions?
Otherwise this link could be used to change the password again, after
the
user has already set his password - possibly from third persons who
got
known of this link. May be a security issue?

Thanks & regards,
- Niko
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user