That's definitively not correct behavior. What version are you on? Can you give me
exact steps to reproduce?
----- Original Message -----
From: "Niko Köbler" <niko(a)n-k.de>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 16 July, 2015 1:58:21 PM
Subject: Re: [keycloak-user] Login user action lifespan
It is valid.
I can change my password again and again…
> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
> Does it seem that it is valid, or is it valid? It should only be usable
> once.
>
> ----- Original Message -----
>> From: "Niko Köbler" <niko(a)n-k.de>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>> Subject: [keycloak-user] Login user action lifespan
>>
>> Hi,
>>
>> you can set the „login user action lifespan“ in realm settings for the
>> time
>> the link is valid for a user to set a password (or other tasks).
>> This link seems to be valid and working even if the user has clicked on it
>> and has done the tasks.
>>
>> Is it possible to configure this link to be valid only once during its
>> lifespan ? Or at least to be invalid as soon the user has set his
>> password/done the login actions?
>> Otherwise this link could be used to change the password again, after the
>> user has already set his password - possibly from third persons who got
>> known of this link. May be a security issue?
>>
>> Thanks & regards,
>> - Niko
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user