[keycloak-dev] Issues with the first login flow

Stian Thorgersen stian at redhat.com
Tue May 20 11:44:00 EDT 2014 


----- Original Message -----
> From: "Gabriel Cardoso" <gcardoso at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, 20 May, 2014 4:33:37 PM
> Subject: Re: [keycloak-dev] Issues with the first login flow
> 
> > From the technical point of view I don't like the idea of adding a special
> > case that lets you set the admin password. Not just because of the
> > additional work, but also as it adds a possible security hole. There are
> > also situations where someone may set a more secure admin password on an
> > initial installation prior to handing over to an admin, in which case
> > there will be a password set, but the admin will be required to set the
> > password. What we have covers both those use cases, as well as the use
> > cases for when a password is required to be changed (suspected attack,
> > expired password, etc).
> > 
> > On the other side, with regards to usability, I believe any user or admin
> > of Keycloak are likely to experience the "update password" page, and may
> > so several times while using Keycloak. This page will be displayed after
> > the user has logged in with username/password (and optionally totp). I
> > agree that this can be confusing, especially as it has the exact same
> > layout as the login screen and only text changes. If we can find a
> > solution to making this page more obvious to users that would also
> > sufficiently solve the first login case in my opinion.
> 
> Ok, we can keep the current flow :)
> 
> > By the way the last attachment doesn't work as the screen should be
> > displayed after the user has logged in, and hence not require the user to
> > enter a username.
> 
> So, when the user is asked to update his password, is he already logged in?
> It doesn't feel like that at all. The feeling is that you need to update the
> password to log in. To update the password is mandatory at that point, isn’t
> it? I mean, without doing so, the user cannot “explore” the console, right?

He's not logged-in, those are actions that the user are required to do prior to be logged-in. The user will however have to identify himself with username/password (and totp if configured) prior to being permitted to do those actions. The actions a user can be asked to do as part of a login is not just limited to updating the password. These can include:

* Configure TOTO
* Update password
* Verify email
* Update profile

And, possible more to come in the future.


> 
> Regarding my screen, if the matter is the text “To have access to the
> console…”, we can easily change it. Maybe it is hard to recognise that, but
> the “username” field is already fulfilled with admin, which is a disabled
> field. So the autofocus would be in “New password” and the user wouldn’t
> need to enter the username.
> 
> Despite your punctual appointments, don’t you think a screen like that would
> improve what we have? I included the text above and the field “username” for
> this screen to be visible different from the login screen.

Text above we already have in a notification thing, but I don't have a problem with moving that above the form. The username input field doesn't make sense at all, as the user is not able to change that at this stage.

> 
> Gabriel
> 
> ---
> Gabriel Cardoso
> User Experience Designer @ Red Hat
> 
>

More information about the keycloak-dev mailing list