6:45 a.m.
Hi,
you can set the „login user action lifespan“ in realm settings for the time the link is
valid for a user to set a password (or other tasks).
This link seems to be valid and working even if the user has clicked on it and has done
the tasks.
Is it possible to configure this link to be valid only once during its lifespan ? Or at
least to be invalid as soon the user has set his password/done the login actions?
Otherwise this link could be used to change the password again, after the user has already
set his password - possibly from third persons who got known of this link. May be a
security issue?
Thanks & regards,
- Niko
6:49 a.m.
Does it seem that it is valid, or is it valid? It should only be usable once.
----- Original Message -----
From: "Niko Köbler" <niko(a)n-k.de>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 16 July, 2015 1:45:43 PM
Subject: [keycloak-user] Login user action lifespan
Hi,
you can set the „login user action lifespan“ in realm settings for the time
the link is valid for a user to set a password (or other tasks).
This link seems to be valid and working even if the user has clicked on it
and has done the tasks.
Is it possible to configure this link to be valid only once during its
lifespan ? Or at least to be invalid as soon the user has set his
password/done the login actions?
Otherwise this link could be used to change the password again, after the
user has already set his password - possibly from third persons who got
known of this link. May be a security issue?
Thanks & regards,
- Niko
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:58 a.m.
It is valid.
I can change my password again and again…
Am 16.07.2015 um 13:49 schrieb Stian Thorgersen
<stian(a)redhat.com>:
Does it seem that it is valid, or is it valid? It should only be usable once.
----- Original Message -----
> From: "Niko Köbler" <niko(a)n-k.de>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 16 July, 2015 1:45:43 PM
> Subject: [keycloak-user] Login user action lifespan
>
> Hi,
>
> you can set the „login user action lifespan“ in realm settings for the time
> the link is valid for a user to set a password (or other tasks).
> This link seems to be valid and working even if the user has clicked on it
> and has done the tasks.
>
> Is it possible to configure this link to be valid only once during its
> lifespan ? Or at least to be invalid as soon the user has set his
> password/done the login actions?
> Otherwise this link could be used to change the password again, after the
> user has already set his password - possibly from third persons who got
> known of this link. May be a security issue?
>
> Thanks & regards,
> - Niko
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
7 a.m.
That's definitively not correct behavior. What version are you on? Can you give me
exact steps to reproduce?
----- Original Message -----
From: "Niko Köbler" <niko(a)n-k.de>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 16 July, 2015 1:58:21 PM
Subject: Re: [keycloak-user] Login user action lifespan
It is valid.
I can change my password again and again…
> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
> Does it seem that it is valid, or is it valid? It should only be usable
> once.
>
> ----- Original Message -----
>> From: "Niko Köbler" <niko(a)n-k.de>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>> Subject: [keycloak-user] Login user action lifespan
>>
>> Hi,
>>
>> you can set the „login user action lifespan“ in realm settings for the
>> time
>> the link is valid for a user to set a password (or other tasks).
>> This link seems to be valid and working even if the user has clicked on it
>> and has done the tasks.
>>
>> Is it possible to configure this link to be valid only once during its
>> lifespan ? Or at least to be invalid as soon the user has set his
>> password/done the login actions?
>> Otherwise this link could be used to change the password again, after the
>> user has already set his password - possibly from third persons who got
>> known of this link. May be a security issue?
>>
>> Thanks & regards,
>> - Niko
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
7:24 a.m.
We are still on 1.2.0
Steps to reproduce:
- create a user via Admin API
- trigger to send the password-reset mail via Admin API
- click on the link in the mail to set the password
- try to log in -> works
- go back to your mails, click again on the password-reset link in the mail
- change your password
- try to log in with old password -> doesn’t work
- try to log in with new password -> works
- and so on…
Am 16.07.2015 um 14:00 schrieb Stian Thorgersen
<stian(a)redhat.com>:
That's definitively not correct behavior. What version are you on? Can you give me
exact steps to reproduce?
----- Original Message -----
> From: "Niko Köbler" <niko(a)n-k.de>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 16 July, 2015 1:58:21 PM
> Subject: Re: [keycloak-user] Login user action lifespan
>
> It is valid.
> I can change my password again and again…
>
>
>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>
>> Does it seem that it is valid, or is it valid? It should only be usable
>> once.
>>
>> ----- Original Message -----
>>> From: "Niko Köbler" <niko(a)n-k.de>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>> Subject: [keycloak-user] Login user action lifespan
>>>
>>> Hi,
>>>
>>> you can set the „login user action lifespan“ in realm settings for the
>>> time
>>> the link is valid for a user to set a password (or other tasks).
>>> This link seems to be valid and working even if the user has clicked on it
>>> and has done the tasks.
>>>
>>> Is it possible to configure this link to be valid only once during its
>>> lifespan ? Or at least to be invalid as soon the user has set his
>>> password/done the login actions?
>>> Otherwise this link could be used to change the password again, after the
>>> user has already set his password - possibly from third persons who got
>>> known of this link. May be a security issue?
>>>
>>> Thanks & regards,
>>> - Niko
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
7:26 a.m.
----- Original Message -----
From: "Niko Köbler" <niko(a)n-k.de>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 16 July, 2015 2:24:40 PM
Subject: Re: [keycloak-user] Login user action lifespan
We are still on 1.2.0
Steps to reproduce:
- create a user via Admin API
- trigger to send the password-reset mail via Admin API
- click on the link in the mail to set the password
- try to log in -> works
Have you actually changed the password here, or just log in?
- go back to your mails, click again on the password-reset link in
the mail
- change your password
- try to log in with old password -> doesn’t work
- try to log in with new password -> works
- and so on…
> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
> That's definitively not correct behavior. What version are you on? Can you
> give me exact steps to reproduce?
>
> ----- Original Message -----
>> From: "Niko Köbler" <niko(a)n-k.de>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>>
>> It is valid.
>> I can change my password again and again…
>>
>>
>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>>
>>> Does it seem that it is valid, or is it valid? It should only be usable
>>> once.
>>>
>>> ----- Original Message -----
>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>> To: keycloak-user(a)lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>> Subject: [keycloak-user] Login user action lifespan
>>>>
>>>> Hi,
>>>>
>>>> you can set the „login user action lifespan“ in realm settings for the
>>>> time
>>>> the link is valid for a user to set a password (or other tasks).
>>>> This link seems to be valid and working even if the user has clicked on
>>>> it
>>>> and has done the tasks.
>>>>
>>>> Is it possible to configure this link to be valid only once during its
>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>> password/done the login actions?
>>>> Otherwise this link could be used to change the password again, after
>>>> the
>>>> user has already set his password - possibly from third persons who got
>>>> known of this link. May be a security issue?
>>>>
>>>> Thanks & regards,
>>>> - Niko
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
7:30 a.m.
sorry, I forgot to mention this step, I actually changed the password (set it the first
time)
In the meantime I tried this loop (click link in mail, change password, log in) more than
5 times… it still works!
Am 16.07.2015 um 14:26 schrieb Stian Thorgersen
<stian(a)redhat.com>:
----- Original Message -----
> From: "Niko Köbler" <niko(a)n-k.de>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:24:40 PM
> Subject: Re: [keycloak-user] Login user action lifespan
>
> We are still on 1.2.0
>
> Steps to reproduce:
> - create a user via Admin API
> - trigger to send the password-reset mail via Admin API
> - click on the link in the mail to set the password
> - try to log in -> works
Have you actually changed the password here, or just log in?
> - go back to your mails, click again on the password-reset link in the mail
> - change your password
> - try to log in with old password -> doesn’t work
> - try to log in with new password -> works
> - and so on…
>
>
>
>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>
>> That's definitively not correct behavior. What version are you on? Can you
>> give me exact steps to reproduce?
>>
>> ----- Original Message -----
>>> From: "Niko Köbler" <niko(a)n-k.de>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>
>>> It is valid.
>>> I can change my password again and again…
>>>
>>>
>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen
<stian(a)redhat.com>:
>>>>
>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>> once.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>>> To: keycloak-user(a)lists.jboss.org
>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>
>>>>> Hi,
>>>>>
>>>>> you can set the „login user action lifespan“ in realm settings for
the
>>>>> time
>>>>> the link is valid for a user to set a password (or other tasks).
>>>>> This link seems to be valid and working even if the user has clicked
on
>>>>> it
>>>>> and has done the tasks.
>>>>>
>>>>> Is it possible to configure this link to be valid only once during
its
>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>> password/done the login actions?
>>>>> Otherwise this link could be used to change the password again,
after
>>>>> the
>>>>> user has already set his password - possibly from third persons who
got
>>>>> known of this link. May be a security issue?
>>>>>
>>>>> Thanks & regards,
>>>>> - Niko
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>
>
7:32 a.m.
Can you create a JIRA for this please?
----- Original Message -----
From: "Niko Köbler" <niko(a)n-k.de>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 16 July, 2015 2:30:31 PM
Subject: Re: [keycloak-user] Login user action lifespan
sorry, I forgot to mention this step, I actually changed the password (set it
the first time)
In the meantime I tried this loop (click link in mail, change password, log
in) more than 5 times… it still works!
> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
>
>
> ----- Original Message -----
>> From: "Niko Köbler" <niko(a)n-k.de>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>>
>> We are still on 1.2.0
>>
>> Steps to reproduce:
>> - create a user via Admin API
>> - trigger to send the password-reset mail via Admin API
>> - click on the link in the mail to set the password
>> - try to log in -> works
>
> Have you actually changed the password here, or just log in?
>
>> - go back to your mails, click again on the password-reset link in the
>> mail
>> - change your password
>> - try to log in with old password -> doesn’t work
>> - try to log in with new password -> works
>> - and so on…
>>
>>
>>
>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>>
>>> That's definitively not correct behavior. What version are you on? Can
>>> you
>>> give me exact steps to reproduce?
>>>
>>> ----- Original Message -----
>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-user(a)lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>>
>>>> It is valid.
>>>> I can change my password again and again…
>>>>
>>>>
>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen
<stian(a)redhat.com>:
>>>>>
>>>>> Does it seem that it is valid, or is it valid? It should only be
usable
>>>>> once.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>>>> To: keycloak-user(a)lists.jboss.org
>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> you can set the „login user action lifespan“ in realm settings
for the
>>>>>> time
>>>>>> the link is valid for a user to set a password (or other
tasks).
>>>>>> This link seems to be valid and working even if the user has
clicked
>>>>>> on
>>>>>> it
>>>>>> and has done the tasks.
>>>>>>
>>>>>> Is it possible to configure this link to be valid only once
during its
>>>>>> lifespan ? Or at least to be invalid as soon the user has set
his
>>>>>> password/done the login actions?
>>>>>> Otherwise this link could be used to change the password again,
after
>>>>>> the
>>>>>> user has already set his password - possibly from third persons
who
>>>>>> got
>>>>>> known of this link. May be a security issue?
>>>>>>
>>>>>> Thanks & regards,
>>>>>> - Niko
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>
>>
7:44 a.m.
Done.
https://issues.jboss.org/browse/KEYCLOAK-1576
<https://issues.jboss.org/browse/KEYCLOAK-1576>
Thanks!
Am 16.07.2015 um 14:32 schrieb Stian Thorgersen
<stian(a)redhat.com>:
Can you create a JIRA for this please?
----- Original Message -----
> From: "Niko Köbler" <niko(a)n-k.de>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:30:31 PM
> Subject: Re: [keycloak-user] Login user action lifespan
>
> sorry, I forgot to mention this step, I actually changed the password (set it
> the first time)
>
> In the meantime I tried this loop (click link in mail, change password, log
> in) more than 5 times… it still works!
>
>
>> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian(a)redhat.com>:
>>
>>
>>
>> ----- Original Message -----
>>> From: "Niko Köbler" <niko(a)n-k.de>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>
>>> We are still on 1.2.0
>>>
>>> Steps to reproduce:
>>> - create a user via Admin API
>>> - trigger to send the password-reset mail via Admin API
>>> - click on the link in the mail to set the password
>>> - try to log in -> works
>>
>> Have you actually changed the password here, or just log in?
>>
>>> - go back to your mails, click again on the password-reset link in the
>>> mail
>>> - change your password
>>> - try to log in with old password -> doesn’t work
>>> - try to log in with new password -> works
>>> - and so on…
>>>
>>>
>>>
>>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen
<stian(a)redhat.com>:
>>>>
>>>> That's definitively not correct behavior. What version are you on?
Can
>>>> you
>>>> give me exact steps to reproduce?
>>>>
>>>> ----- Original Message -----
>>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>>>
>>>>> It is valid.
>>>>> I can change my password again and again…
>>>>>
>>>>>
>>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen
<stian(a)redhat.com>:
>>>>>>
>>>>>> Does it seem that it is valid, or is it valid? It should only be
usable
>>>>>> once.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Niko Köbler" <niko(a)n-k.de>
>>>>>>> To: keycloak-user(a)lists.jboss.org
>>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> you can set the „login user action lifespan“ in realm
settings for the
>>>>>>> time
>>>>>>> the link is valid for a user to set a password (or other
tasks).
>>>>>>> This link seems to be valid and working even if the user has
clicked
>>>>>>> on
>>>>>>> it
>>>>>>> and has done the tasks.
>>>>>>>
>>>>>>> Is it possible to configure this link to be valid only once
during its
>>>>>>> lifespan ? Or at least to be invalid as soon the user has set
his
>>>>>>> password/done the login actions?
>>>>>>> Otherwise this link could be used to change the password
again, after
>>>>>>> the
>>>>>>> user has already set his password - possibly from third
persons who
>>>>>>> got
>>>>>>> known of this link. May be a security issue?
>>>>>>>
>>>>>>> Thanks & regards,
>>>>>>> - Niko
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>
>>>
>
>
3452
days inactive
3452
days old
8 comments
2 participants
participants (2)
-
Niko Köbler -
Stian Thorgersen