[keycloak-dev] Cleanup of 'Change password' screen in Account app
Vlastimil Elias
velias at redhat.com
Fri Nov 27 04:23:25 EST 2015
Hi,
I have two proposals for cleanup of 'Change password' screen in Account
app based on my experience with it:
1. remove Cancel button - it has no any meaning on this screen/form, it
only reshowns form with empty fields. And also there is a bug,
"Password" field is hidden when it is used, which makes whole form unusable.
2. remove validation of current password (remove "Password" field). Two
reasons for this:
- security impact of this check is small. If attacker is able to
compromise Account app then he can always change email and then use
"Forgot password" feature to change password
- user created over Identity Provider do not know old password
(because it is not set) so he is not able to set password using this screen
After we implement support for reauthentication (KEYCLOAK-2076) then we
should set some reasonable reauth timeout for Account app instead, this
will make it more secure at all.
If you agree then I can create JIRA issue for this and provide PR.
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
More information about the keycloak-dev
mailing list