[keycloak-dev] Reset Actions

Stian Thorgersen sthorger at redhat.com
Fri Nov 27 03:29:11 EST 2015


The new reset actions doesn't require the user to authenticate prior to
performing them. Is it not a bit dangerous that the user can change the
email address without authentication?

For reset password we obviously need to be able to do it without requiring
authentication, but shouldn't "bypassing" authentication be limited as much
as possible?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/29abda5f/attachment.html 


More information about the keycloak-dev mailing list