[keycloak-dev] key and code in emails
Stian Thorgersen
stian at redhat.com
Tue Oct 21 03:42:03 EDT 2014
I guess it's added as an additional security check. This would be applicable to all codes though.
I propose in ClientSessionCode#getAction we create a new key and set it on the ClientSession. Then we add the key to the signature part of the code. This would make each code more unique and harder to generate, while at the same time we could remove the key query param for emails.
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Tuesday, 21 October, 2014 9:08:56 AM
> Subject: [keycloak-dev] key and code in emails
>
> Why is there a key as well as the code query params in links sent in emails?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list