Yes, we already did our own authentication flow here a couple of weeks ago, but I decided today to communicate this situation.
The question is that part of the documentation should be clarified, because at least I was confused after I saw the inconsistency
when seeing the behaviour of the registration form: A malicious user will still be capable of guessing valid users, so it's something that should
be warned to developers / admins.
(Sorry I activated the digest mode of the mailing list and I don't really know how to properly reply to a thread without receiving the original email)
Feel free to extend the plugin then. :) On 6/15/16 4:49 PM, Tomás García wrote: > Hi, > > In this url: > http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003 > > , it says: > > "This form *WILL NOT* re-ask the user to enter in an email or username > if the previous email or username did not exist. You need to prevent > attackers from being able to guess valid users. So, if > AuthenticationFlowContext.getUser() returns null, you should proceed > with the flow to make it look like a valid user was selected." > > And I totally agree with that, but it doesn't apply to all cases > unfortunately. If the admin enables "User registration", the user > registration form will tell the a possible malicious guy if the email > combinations she's trying already exists, invalidating what the above > paragraph says. And I don't think there's a way to do the same as in the > "forgot password" feature with the registration form, because after > registration, there's an autologin. > > Actually it's confusing for users telling them an email was sent event > if it's not... People sometimes can forget that they're not registered > in the Keycloak system, so the "forgot password" feature as it is today > will make them wait forever. At least, sending them an email telling > them "You're not registered. You can register visiting this link." if > "User registration" is enabled or "Ask your admin to register your email > in the system" if it's not, would be definitely better. > > Thanks. > > -- > > *Tomás García Pérez > * > > *Software Developer* > > *IntraHouse* > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >
Tomás García Pérez