[keycloak-dev] Issues with the first login flow

Stian Thorgersen stian at redhat.com
Mon May 19 15:28:55 EDT 2014 

>From the technical point of view I don't like the idea of adding a special case that lets you set the admin password. Not just because of the additional work, but also as it adds a possible security hole. There are also situations where someone may set a more secure admin password on an initial installation prior to handing over to an admin, in which case there will be a password set, but the admin will be required to set the password. What we have covers both those use cases, as well as the use cases for when a password is required to be changed (suspected attack, expired password, etc).

On the other side, with regards to usability, I believe any user or admin of Keycloak are likely to experience the "update password" page, and may so several times while using Keycloak. This page will be displayed after the user has logged in with username/password (and optionally totp). I agree that this can be confusing, especially as it has the exact same layout as the login screen and only text changes. If we can find a solution to making this page more obvious to users that would also sufficiently solve the first login case in my opinion.

By the way the last attachment doesn't work as the screen should be displayed after the user has logged in, and hence not require the user to enter a username.

----- Original Message -----
> From: "Gabriel Cardoso" <gcardoso at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Monday, 19 May, 2014 6:58:18 PM
> Subject: Re: [keycloak-dev] Issues with the first login flow
> 
> From the technical side, it requires a special logic. For the user, the login
> screen in the first access is a useless step. But I understand that you
> might want to prioritise other things that must be done.
> 
> That said, how about a page like this to update the password? It is easier to
> recognise and it would work both in the first login and when the account
> status is changed.
> 
> https://dl.dropboxusercontent.com/u/2730435/password2.png
> 
> 
> On May 19, 2014, at 12:30 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > I don't like that solution as it requires special logic in the server to
> > handle the first login.
> > 
> > I would much rather we improve the screen where a user is required to reset
> > the password.
> > 
> > ----- Original Message -----
> >> From: "Gabriel Cardoso" <gcardoso at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> >> Sent: Monday, 19 May, 2014 4:24:33 PM
> >> Subject: Re: [keycloak-dev] Issues with the first login flow
> >> 
> >> In my proposal it would have the same style as the login page, but the
> >> paragraph + inputs would create this visual differentiation to call the
> >> user’s attention.
> >> 
> >> Can’t we have something like the wireframe, Stian?
> >> 
> >> 
> >> On May 19, 2014, at 5:25 AM, Stian Thorgersen <stian at redhat.com> wrote:
> >> 
> >>> I don't think we should have a separate update password page, but instead
> >>> make the generic "you need to update your password" page more obvious.
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Saturday, 17 May, 2014 7:33:44 PM
> >>>> Subject: Re: [keycloak-dev] Issues with the first login flow
> >>>> 
> >>>> 
> >>>> 
> >>>> On 5/16/2014 1:56 PM, Gabriel Cardoso wrote:
> >>>>> 
> >>>>> "for some reason, I didn't see that the form has changed and not asking
> >>>>> for my username/password anymore but new password/confirmation of
> >>>>> password
> >>>>> I lost a bit of time as I was wondering where to change the password
> >>>>> (it
> >>>>> was just in front of me really…)”
> >>>>> 
> >>>> 
> >>>> I have hit this a few time myself!  I think the update password page
> >>>> needs to look different than the login page.
> >>>> 
> >>>> 
> >>>> 
> >>>>> I don’t see a reason for having the login page for the first login.
> >>>>> Instead, we could have only the page to update the password, like
> >>>>> suggested in this wireframe:
> >>>>> https://issues.jboss.org/secure/attachment/12379916/1%20Update%20Password.png
> >>>>> <https://issues.jboss.org/secure/attachment/12379916/1 Update
> >>>>> Password.png>
> >>>>> 
> >>>>> Is this something managed by Keycloak? Is it possible to make this
> >>>>> change?
> >>>>> 
> >>>> 
> >>>> Welll, you would get this update password page if your account status
> >>>> was changed too.
> >>>> 
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>> 
> >>> 
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> 
> >> ---
> >> Gabriel Cardoso
> >> User Experience Designer @ Red Hat
> >> 
> >> 
> 
> ---
> Gabriel Cardoso
> User Experience Designer @ Red Hat
> 
>

More information about the keycloak-dev mailing list