[keycloak-dev] Password resetting

Stian Thorgersen stian at redhat.com
Fri Jan 24 08:38:11 EST 2014


To prevent hijacking the thread for planning what goes into the next release, I'll start this new thread on this subject.

For clarification, at the moment what we have with password reset is :

Users:
* If realm allows it and user has registered email address they can click on the recover password option. They then insert their username and an email with a link is sent to them. This link will expire within a configurable time (default is 10 min I think). The link will open a form enabling the user to insert a new password.

Admins:
* Admins can set a new temporary password on a user account. This will add a flag that the user is required to reset the password on next login. Currently the admin could remove this required action though, as admins can add/remove required actions to an account

Improvements to this flow would be good. It's not elegant that admin has to manually create tmp password, and somehow communicate this to the user. Also, as Bruno pointed out this would mean an admin could gain access to a users account. Any other concerns?

With regards to admins being able to send recover email, I'm not sure I see the point. Users can do this themselves if they want to. Also, the link in the email expires within a relatively short timeout, so it would quite likely be expired by the time a user reads it

Stopping a compromised admin being able to access the account, I'm not sure that would be feasible. Even if an admin can't set a tmp password, they could for example change the email and get a recovery password email sent to themselves. I also think a compromised admin account would mean we're pretty screwed in any case, so is this really important? 

I don't understand how TOTP would work, can you explain.


More information about the keycloak-dev mailing list