[keycloak-dev] refactored admin reset email and required actions

Stian Thorgersen stian at redhat.com
Tue Sep 1 02:04:08 EDT 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 31 August, 2015 4:09:54 PM
> Subject: Re: [keycloak-dev] refactored admin reset email and required actions
> 
> 
> 
> On 8/31/2015 7:06 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Saturday, 22 August, 2015 3:31:56 AM
> >> Subject: [keycloak-dev] refactored admin reset email and required actions
> >>
> >> Admin console can send a reset password email to the user.  Originally
> >> it just executed update password.  I changed this so that it sets an
> >> Update Password required action on the User.  The email link click runs
> >> all required actions set for the user, then displays a message that the
> >> Account has been updated.
> >
> > The admin console could do either - set a password (and choose if it was
> > temporary or not) as well as send a reset password link
> >
> 
> Admin console can still manually set the password (temporary or not).
> 
> 
> >>
> >> When I get back, I'm also going to change the admin console behavior and
> >> look too.  Instead of a "Reset Password Email" button on Credentials
> >> tab, there will be a button next to the Required Actions selection box
> >> on user detail, something like "Email Required Actions"  (I need a
> >> better name).  Clicking on this button will send an email to user
> >
> > This isn't the correct approach IMO. What we used to have was the ability
> > for an admin to send an email to a user to allow the user to recover the
> > password. It wasn't a required action, just something the user could do if
> > they needed to. I think how it worked before was much clearer to end
> > users, also credentials tab is the correct place for "recovering
> > password".
> >
> 
> 
> I'll repeat myself.  There may be more than one credential the
> admin/user needs/wants to reset.  These credentials may also be custom
> ones written by an system integrator.  I don't want to introduce yet
> another SPI for credential recovery when it would work exactly the same
> way as required actions.  Now, there is one place the admin can email
> the user to perform any specific action.

Recovering credentials is not a required action. It's an optional action the user may do, but the user should also be allowed to not do it. Also, it belongs on the credentials tab. I'm fairly sure no one is going to find it otherwise.

It doesn't have to be yet another SPI, but maybe we could add a type enum or something to the current SPI. Also, we could add support for optional actions?

> 
> If you want to create a separate SPI and way of doing this to support
> reset of more than just password, feel free to create that SPI, extend
> the Model API, write the tests, update the docs and create new examples
> and make sure the flow is configurable. I think this approach is fine.

I know we have a lot of work to do, but usability has to always be considered. One of the main reasons I was interested in Keycloak was to create something that would make security easier for users, admins and developers. I feel that if we continue adding and changing things without considering usability we could just end up with being yet another hard to use product with all sorts of features.

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list