[keycloak-dev] Password Updates and Authenticators in the new Account Console
Stan Silvert
ssilvert at redhat.com
Tue Aug 27 19:59:01 EDT 2019
On 8/27/2019 7:17 AM, Stian Thorgersen wrote:
> With regards to security, there's two issues. First if someone gets a hold
> of a bearer token they should not be able to hijack someones account. If we
> allow a access token to change credentials it is very easy to completely
> hijack an account. Secondly as we're talking about an SSO solution it's
> important that an app has only access to what it needs to have access to.
> That means no applications should have direct access to users credentials,
> which they would need to have to be able to update through a REST API.
This is the point that we will need to emphasize to users when they
first see the new account console.
Vaclav is right to point out the awkwardness as it stands right now. I
think that we can smooth things out, but until we do, users need to
understand what Stian said above. Then they will at least know it is
for the sake of better security.
More information about the keycloak-dev
mailing list