sorry, I forgot to mention this step, I actually changed the password (set it the first
time)
In the meantime I tried this loop (click link in mail, change password, log in) more than
5 times… it still works!
Am 16.07.2015 um 14:26 schrieb Stian Thorgersen
<stian(a)redhat.com>:
----- Original Message -----
> From: "Niko Köbler" <niko(a)n-k.de>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:24:40 PM
> Subject: Re: [keycloak-user] Login user action lifespan
>
> We are still on 1.2.0
>
> Steps to reproduce:
> - create a user via Admin API
> - trigger to send the password-reset mail via Admin API
> - click on the link in the mail to set the password
> - try to log in -> works
Have you actually changed the password here, or just log in?
> - go back to your mails, click again on the password-reset link in the mail
> - change your password
> - try to log in with old password -> doesn’t work
> - try to log in with new password -> works
> - and so on…
>
>
>
>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>
>> That's definitively not correct behavior. What version are you on? Can you
>> give me exact steps to reproduce?
>>
>> ----- Original Message -----
>>> From: "Niko Köbler" <niko(a)n-k.de>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>
>>> It is valid.
>>> I can change my password again and again…
>>>
>>>
>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen
<stian(a)redhat.com>:
>>>>
>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>> once.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>>> To: keycloak-user(a)lists.jboss.org
>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>
>>>>> Hi,
>>>>>
>>>>> you can set the „login user action lifespan“ in realm settings for
the
>>>>> time
>>>>> the link is valid for a user to set a password (or other tasks).
>>>>> This link seems to be valid and working even if the user has clicked
on
>>>>> it
>>>>> and has done the tasks.
>>>>>
>>>>> Is it possible to configure this link to be valid only once during
its
>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>> password/done the login actions?
>>>>> Otherwise this link could be used to change the password again,
after
>>>>> the
>>>>> user has already set his password - possibly from third persons who
got
>>>>> known of this link. May be a security issue?
>>>>>
>>>>> Thanks & regards,
>>>>> - Niko
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>
>