[keycloak-dev] credential management

[Bill Burke]

Registration
* new password and password confirmation
* TOTP secret and QR generation and confirmation.

Forgot password
* Email sent to user with URL enclosed
* If required by realm, ask one or more random questions i.e.:
- What is your mother's maiden name?
- What is the last 4 digits of your social security number?
- What is the  name of your first pet?
- When did you lose your virginity?
- What is your birthday?
* User enters new password and confirmation

Change Password:
* Old Password
* New Password
* Confirm new Password

Lost Authenticator
* Admin must create a temporary token and speak it to user
* User can log in with this temporary token and head to their account 
management page.  TOken expires after a certain amount of time.
or
* Ask one or more random questions as in Forgot password

Admin user creation:
* Email with a link is sent to user.  Link prompts user for credential 
set up.
* Or. Generate a temporary password that must reset by user on next 
login.  Temporary password is spoken to user or given to them by some 
other means.


When a user logs in keycloak must check to see if
* A temporary password was created and the user must enter a new one
* Registration is incomplete and new credentials must be set up, i.e. an 
authenticator.

Are there any security holes here?  ONe idea I have is that the admin 
would never ever see a credential.  For user creation, a temporary 
password is emailed to the user and never seen by the admin or the user 
would have to register.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com