[keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password

Stian Thorgersen stian at redhat.com
Mon Jan 12 07:34:20 EST 2015


That's incorrect, can you create a jira please?

----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 12 January, 2015 1:30:46 PM
> Subject: Re: [keycloak-dev]  A disabled user receives a confusing info message, if he tries to reset his password
> 
> Unfortunately, it isn't implemented like that.
> 
> Have a look at the authenticateInternal method of the AuthenticationManager
> class.
> AuthenticationStatus.ACCOUNT_DISABLED;
> is returned before the validCredentials method is invoked.
> 
> Best
> Michael
> 
> Am 12. Januar 2015 um 12:25 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> 
> 
> ----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 12 January, 2015 11:20:02 AM
> Subject: Re: [keycloak-dev] A disabled user receives a confusing info
> message, if he tries to reset his password
> Thank you, that sounds logical.
> I just wondered, because you have a different error message for disabled
> users on the login screen.
> "Account is disabled, contact admin"
> 
> That should only be shown after a user has logged in with valid
> username/password, if you try to login with an invalid password and disabled
> user it should show invalid username/password.
> 
> Best
> Michael
> Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian at redhat.com>:
> This is intentional. If we provide specific error messages on reset password
> it can be used to find out whether or not a username/email is valid. Same
> applies to login, instead of saying invalid username it just says invalid
> username or password.
> As an improvement we could extend the message to say if you haven't received
> a message within a certain time, then retry or contact an admin/support.
> ----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 9 January, 2015 4:01:49 PM
> Subject: [keycloak-dev] A disabled user receives a confusing info message, if
> he tries to reset his password
> A disabled user receives the following info message, if he tries to reset his
> password:
> You should receive an email shortly with further instructions.
> This is a bit confusing. A message like that would be nicer:
> Failed to send email, please contact the administrator.
> I will create a PR if that is ok with you?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list