[keycloak-dev] refactoring reset password
Bill Burke
bburke at redhat.com
Sat Aug 15 19:15:17 EDT 2015
I'm refactoring reset password. I'll be adding a pluggable
"reset-credentials" flow so that users can add things like answering
secret questions before they are sent the email. They will also be able
to remove/disable sending an email and implement their own mechanism,
i.e. SMS.
Our old implementation would just reset the user's password, they would
then have to click back to application and restart the login process.
With flows, I can log the user in. Isn't that a better approach?
The only issue with automatic login is OTP. What should be the default
behavior be here?:
1) If OTP is set up for the user or if required by realm, automatically
set the OTP required action.
2) If OTP is set up for the user and not required by realm, disable
their OTP, let them log in.
3) If OTP is set up for the user or if required by realm, don't
automatically set the OTP required action, let the user login after
successful email
4) If OTP is set up for the user or required by realm, don't set OTP
required action, after successful email, require them to enter in the otp
I think the default behavior should be #1. Without coding, users would
still be able to configure any option above in the admin console by
adding various authenticators to the flow.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list