[keycloak-dev] refactored admin reset email and required actions
Stian Thorgersen
stian at redhat.com
Wed Sep 2 09:20:18 EDT 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 2 September, 2015 3:12:07 PM
> Subject: Re: [keycloak-dev] refactored admin reset email and required actions
>
>
>
> On 9/1/2015 2:04 AM, Stian Thorgersen wrote:
> >> I'll repeat myself. There may be more than one credential the
> >> admin/user needs/wants to reset. These credentials may also be custom
> >> ones written by an system integrator. I don't want to introduce yet
> >> another SPI for credential recovery when it would work exactly the same
> >> way as required actions. Now, there is one place the admin can email
> >> the user to perform any specific action.
> >
> > Recovering credentials is not a required action. It's an optional action
> > the user may do, but the user should also be allowed to not do it. Also,
> > it belongs on the credentials tab. I'm fairly sure no one is going to find
> > it otherwise.
> >
> > It doesn't have to be yet another SPI, but maybe we could add a type enum
> > or something to the current SPI. Also, we could add support for optional
> > actions?
> >
> >>
> >> If you want to create a separate SPI and way of doing this to support
> >> reset of more than just password, feel free to create that SPI, extend
> >> the Model API, write the tests, update the docs and create new examples
> >> and make sure the flow is configurable. I think this approach is fine.
> >
> > I know we have a lot of work to do, but usability has to always be
> > considered. One of the main reasons I was interested in Keycloak was to
> > create something that would make security easier for users, admins and
> > developers. I feel that if we continue adding and changing things without
> > considering usability we could just end up with being yet another hard to
> > use product with all sorts of features.
> >
>
> I was thinking about this a little more and I thought about the ability
> to add required actions to the ClientSession. Those required actions
> would only have to be executed within that client session login and
> could be aborted. Then user forgot password and admin reset would only
> set required actions for the clientsession and the actions become temporary.
How would that work for admin reset? Do we create a user/client session for those? I guess we do
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list