[keycloak-dev] Looking for a workaround...
Stian Thorgersen
stian at redhat.com
Mon Jan 26 07:54:46 EST 2015
----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, January 26, 2015 1:37:53 PM
> Subject: [keycloak-dev] Looking for a workaround...
>
> Hi all,
>
> I receive a lot of bug reports from our test team because of the following
> two issues:
> - Reset password leads to 400 Bad Request (
> https://issues.jboss.org/browse/KEYCLOAK-1014 )
This is a tricky one - we can't ignore the state variable as that would make it vulnerable.
We could probably come up with an alternative way to generate and verify state variable though. Could be a HMAC for example.
> - Login attempt after "Login user action lifespan" leads to "Invalid username
> or password." ( https://issues.jboss.org/browse/KEYCLOAK-1015 )
I agree that the error message is not very good, but I disagree with removing the expiration. Why not increase it to say 30 min? That's probably a more sensible timeout for reset password as well.
>
> Do you have any good ideas for a workaround?
>
> Best
> Michael
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list