[keycloak-dev] Password Updates and Authenticators in the new Account Console
Stian Thorgersen
sthorger at redhat.com
Mon Sep 2 07:29:56 EDT 2019
I'm all on board with planning some followup work to polish the experience
around AIA. Having a theme that matches the account console sounds like a
decent idea. We can either make it switch the theme always for the account
console, or perhaps we could also introduce a flag to allow the client to
control the theme and let account console use a different theme for AIAs.
Should be noted that this should be planned as follow-up work though and
not as part of the new account console epic. So would be most likely
something we couldn't do until next year unless it's not to much work.
On Wed, 28 Aug 2019 at 02:00, Stan Silvert <ssilvert at redhat.com> wrote:
> On 8/27/2019 7:17 AM, Stian Thorgersen wrote:
> > With regards to security, there's two issues. First if someone gets a
> hold
> > of a bearer token they should not be able to hijack someones account. If
> we
> > allow a access token to change credentials it is very easy to completely
> > hijack an account. Secondly as we're talking about an SSO solution it's
> > important that an app has only access to what it needs to have access to.
> > That means no applications should have direct access to users
> credentials,
> > which they would need to have to be able to update through a REST API.
> This is the point that we will need to emphasize to users when they
> first see the new account console.
>
> Vaclav is right to point out the awkwardness as it stands right now. I
> think that we can smooth things out, but until we do, users need to
> understand what Stian said above. Then they will at least know it is
> for the sake of better security.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list