Hi all,
I got a very strange Keycloak behaviour on reset credentials.
I set my reset credentials flow as follows:
* I created a flow called "subflow" and set it as alternative
Inside my subflow I created 3 execution providers:
* choose user (required)
* send Reset Email (required)
* Reset Password (required)
The authentication flow is the default "browser" flow.
Now, I tried the following scenario:
* On the login page, click on "forgot password"
* Enter a valid email
* A message told you that you should receive an email soon.
* Click again on "forgot password"
* Now, enter any valid user's email belonging to the realm
* Again, a message told you that you should receive an email soon.
* Now click on the browser back button.
* You are connected with the credential belonging to the user's email !
If you create your reset credentials without subform, this scenario doesn't allow you
to connect without the email link.
Before opening a bug case, can someone confirm he has the same behaviour ?
Thanks in advance,
Arnault