6:50 a.m.
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification
during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting
also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity because of doing
“forgot password” on target account? For example by listening SMTP protocol
communication?
Thanks,
Libor Krzyžanek
jboss.org Development Team
8:23 a.m.
On 10/11/15 13:50, Libor Krzyzanek wrote:
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification
during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting
also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity because of doing
“forgot password” on target account? For example by listening SMTP protocol communication?
AFAIK If you use TLS for SMTP protocol, the communication between
Keycloak and SMTP server should be encrypted and hence nobody should be
able to listen and get the content of message.
Another thing is the communication between SMTP server and POP3/IMAP
server. I think it depends on the security of the POP3/IMAP server, the
major vendors like GMail are likely using secure communication. But I
don't know at 100%...
Thing is that "Forgot password" link can be used just once, so user will
be able to recognize that somebody else clicked on the link instead of him.
Marek
Thanks,
Libor Krzyžanek
jboss.org Development Team
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:27 a.m.
2-3 days for email verification seems OK to me, but I wouldn't do that for
password resets. So I think you need to request a feature to be able to
configure those independently.
On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan(a)redhat.com> wrote:
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for
e-mail verification during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This
setting also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity
because of doing “forgot password” on target account? For example by
listening SMTP protocol communication?
Thanks,
Libor Krzyžanek
jboss.org Development Team
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:55 a.m.
Having such option makes sense for sure.
Jira issue: https://issues.jboss.org/browse/KEYCLOAK-2052
<https://issues.jboss.org/browse/KEYCLOAK-2052>
Thanks,
Libor Krzyžanek
jboss.org Development Team
On Nov 10, 2015, at 3:27 PM, Stian Thorgersen
<sthorger(a)redhat.com> wrote:
2-3 days for email verification seems OK to me, but I wouldn't do that for password
resets. So I think you need to request a feature to be able to configure those
independently.
On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan(a)redhat.com
<mailto:lkrzyzan@redhat.com>> wrote:
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification
during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting
also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity because of doing
“forgot password” on target account? For example by listening SMTP protocol
communication?
Thanks,
Libor Krzyžanek
jboss.org <http://jboss.org/> Development Team
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
3319
days inactive
3319
days old
3 comments
3 participants
participants (3)
-
Libor Krzyzanek -
Marek Posolda -
Stian Thorgersen