[keycloak-dev] Looking for a workaround...

Stian Thorgersen stian at redhat.com
Mon Jan 26 08:23:43 EST 2015


Adding list back to thread, please remember to reply to all




----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Sent: Monday, January 26, 2015 2:10:59 PM
> Subject: Re: [keycloak-dev] Looking for a workaround...
> 
> 
> 
> ----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, January 26, 2015 1:37:53 PM
> Subject: [keycloak-dev] Looking for a workaround...
> Hi all,
> I receive a lot of bug reports from our test team because of the following
> two issues:
> - Reset password leads to 400 Bad Request (
> https://issues.jboss.org/browse/KEYCLOAK-1014 )
> 
> This is a tricky one - we can't ignore the state variable as that would make
> it vulnerable.
> 
> We could probably come up with an alternative way to generate and verify
> state variable though. Could be a HMAC for example.
> So you would remove the state cookie?

It could potentially be a solution - I started a separate thread on keycloak-dev to discuss this.

> 
> 
> - Login attempt after "Login user action lifespan" leads to "Invalid username
> or password." ( https://issues.jboss.org/browse/KEYCLOAK-1015 )
> 
> I agree that the error message is not very good, but I disagree with removing
> the expiration. Why not increase it to say 30 min? That's probably a more
> sensible timeout for reset password as well.
> I prefer an expiration of 5 min for the password update process, but thats a
> bit short for the authentication or password reset process.
> I think the best solution would be different expiration times for the
> different processes, wouldn't it?

Maybe - we do try to keep configuration options to a minimum as these introduce complexity as well as potentials for bug/security issues.

> 
> 
> Do you have any good ideas for a workaround?
> Best
> Michael
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list