[keycloak-dev] Reset password and verify email links are to long

Stian Thorgersen stian at redhat.com
Wed Jul 16 06:54:11 EDT 2014


This is probably what you've said already Bill, but just to make sure:

1. Associate the required information to create a token from an access code with the user session (basically what's in AccessCodeEntry now)
2. The code that is sent as the query param only contains id, session-id, timestamp
3. Once we receive a code to swap for a token we remove the information added in 1 from the user session and use this to generate the token

Couple questions:

* Do we do this just for emails? or also for the code sent in login redirects?
* Do we really need session-id and timestamp, or isn't id enough?
* Isn't this pretty much just going back to state-full TokenManager except we're saving it in the UserSession instead of TokenManager itself? 

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 16 July, 2014 11:34:39 AM
> Subject: Re: [keycloak-dev] Reset password and verify email links are to long
> 
> +1 to associate code with the UserSession and remove it once code is
> exchanged. This will also help to fix the issue we discussed before,
> that now it's possible to exchange same code multiple times, which is
> not in line with OAuth2 specs . Created
> https://issues.jboss.org/browse/KEYCLOAK-560 and linked with
> https://issues.jboss.org/browse/KEYCLOAK-542
> 
> Marek
> 
> On 16.7.2014 10:58, Stian Thorgersen wrote:
> > Are you talking about reducing the size of the code altogether or just for
> > the email links?
> >
> > I was thinking about just saving the base64 encoded access-code with the
> > user session temporarily, then sending the the access code id (36 char
> > uuid as before) in the email. First time the user clicks on the link the
> > access code would be removed from the session, so this would also make the
> > links a one-time-click thing.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 15 July, 2014 6:14:45 PM
> >> Subject: Re: [keycloak-dev] Reset password and verify email links are to
> >> long
> >>
> >>
> >>
> >> On 7/15/2014 12:34 PM, Stian Thorgersen wrote:
> >>>> If that's what you're saying +1.
> >>> Are you referring to option 1, storing the required info in the user
> >>> session temporarily? Not sure I understand the details about what you're
> >>> proposing though.
> >>>
> >> Yes, option 1.  AccessCode should be associated with the user session.
> >> Appropriate state needs to be stored in the session as AccessCode
> >> currently saves a lot of stuff.
> >>
> >> Then the code only has to contain:
> >>
> >> id, session-id, timestamp
> >>
> >>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> 


More information about the keycloak-dev mailing list