[keycloak-dev] Cleanup of 'Change password' screen in Account app
Vlastimil Elias
velias at redhat.com
Fri Nov 27 05:16:32 EST 2015
Hi Thomas,
On 27.11.2015 11:05, Thomas Raehalme wrote:
> Hi!
>
> On Fri, Nov 27, 2015 at 11:23 AM, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
> 2. remove validation of current password (remove "Password"
> field). Two
> reasons for this:
> - security impact of this check is small. If attacker is able to
> compromise Account app then he can always change email and then use
> "Forgot password" feature to change password
> - user created over Identity Provider do not know old password
> (because it is not set) so he is not able to set password using
> this screen
> After we implement support for reauthentication (KEYCLOAK-2076)
> then we
> should set some reasonable reauth timeout for Account app instead,
> this
> will make it more secure at all.
>
>
> Wouldn't it make more sense to add password validation when changing
> email?
Yes, this is why I write about use of general reauthentication mechanism
as defined in KEYCLOAK-2076 for whole Account app.
It will work even for other authentication types - some keycloak
instances may be configured not to use passwords at all.
Vl
>
> Best regards,
> Thomas
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/32d655d8/attachment-0001.html
More information about the keycloak-dev
mailing list