[keycloak-dev] Action tokens

[Hynek Mlnarik]

Following up e-mail sent earlier today by Marek, I'm sending info on action tokens.

Action token is a concept intended as a time-boxed ticket for a bearer to perform a single operation like reset password. They will be used for one-time actions that can be potentially delayed or executed outside of current authentication flow.

The idea is to implement them as signed JWT tokens where the allowed operation will be specified in token type field. Action tokens will support expiration definable per action (different expiration for e.g. verify e-mail and reset password, or customizable expiration when sent from admin interface). JWT allows both signing and supports custom fields that can be used by the operation to supply additional arguments and to implement prevention of reusing the token once the operation would be performed already.

Initially it seemed that a distributed cache would be needed to prevent reusing the token for the second time. After thinking it over however it turned out that currently all required cases can be prevented by introducing a field like "last timestamp of the password change" into a reset password token that is checked and operation is only allowed if the token value is equal to the one from database.

So far the initial implementation covers token in reset-password e-mail. Cache-independent version of action tokens is available here [1].

--Hynek

[1] https://github.com/hmlnarik/keycloak/tree/mposolda--cross-dc2-replaced-hmlnariks-commits