Re: [keycloak-user] Login user action lifespan

From: "Niko Köbler" <niko(a)n-k.de&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Thursday, 16 July, 2015 1:58:21 PM Subject: Re: [keycloak-user] Login user action lifespan It is valid. I can change my password again and again… > Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian(a)redhat.com&gt;: > > Does it seem that it is valid, or is it valid? It should only be usable > once. > > ----- Original Message ----- >> From: "Niko Köbler" <niko(a)n-k.de&gt; >> To: keycloak-user(a)lists.jboss.org >> Sent: Thursday, 16 July, 2015 1:45:43 PM >> Subject: [keycloak-user] Login user action lifespan >> >> Hi, >> >> you can set the „login user action lifespan“ in realm settings for the >> time >> the link is valid for a user to set a password (or other tasks). >> This link seems to be valid and working even if the user has clicked on it >> and has done the tasks. >> >> Is it possible to configure this link to be valid only once during its >> lifespan ? Or at least to be invalid as soon the user has set his >> password/done the login actions? >> Otherwise this link could be used to change the password again, after the >> user has already set his password - possibly from third persons who got >> known of this link. May be a security issue? >> >> Thanks & regards, >> - Niko >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user