[keycloak-dev] Reset password and verify email links are to long

Stian Thorgersen stian at redhat.com
Tue Jul 15 12:34:06 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 15 July, 2014 4:59:02 PM
> Subject: Re: [keycloak-dev] Reset password and verify email links are to long
> 
> Can you wait to fix this?  I have changes everywhere. :)

Yes, I was just thinking about how it could be done

> 
> But, I thought AccessCode could be:
> 
> id, session-id, timestamp
> 
> UserSession has a Enum login-state (logging-in, logged-in, etc.) and is
> associated with AccessCode and stores any information that is needed.
> FYI, the token is generated right now so scope doesn't have to be
> recalculated.  Maybe this isn't really an optimization as signature
> generation would take a lot longer :)
> 
> If that's what you're saying +1.

Are you referring to option 1, storing the required info in the user session temporarily? Not sure I understand the details about what you're proposing though.

> 
> On 7/15/2014 11:49 AM, Stian Thorgersen wrote:
> > After the token manager was made stateless the full code is sent in emails
> > (reset password and verify email), this is not very nice as it's very
> > long.
> >
> > Two ideas on how to fix this:
> >
> > 1. Save the code (user sessions?) and convert back to sending just the code
> > id in the email
> > 2. Send the info required to create a code (clientId, scope, state and
> > redirect encoded with the realm key)
> > 3. Send a short code that has to be copied/pasted back into the current
> > login form
> >
> > My thoughts are:
> >
> > 1. Nice and simple, but requires "storing" the code temporarily. Another
> > thing we could do is to associate it with the session, this would make
> > sure the email can only be clicked by the user that actually initiated it.
> > 2. Not so nice as I think it'll still create too long links (especially if
> > redirect and state are big).
> > 3. Kinda nice, but changes the way it all works. This may actually be the
> > optimal and more secure way to do it though.
> >
> > See https://issues.jboss.org/browse/KEYCLOAK-542 for how big the link in
> > the email actually is ;)
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list