[keycloak-dev] Password Updates and Authenticators in the new Account Console

Stian Thorgersen sthorger at redhat.com
Mon Sep 2 16:49:16 EDT 2019 

One approach might be an iframe and a custom AIA theme for account console.
That way me can get it really well integrated.

On Mon, 2 Sep 2019, 13:29 Stian Thorgersen, <sthorger at redhat.com> wrote:

> I'm all on board with planning some followup work to polish the experience
> around AIA. Having a theme that matches the account console sounds like a
> decent idea. We can either make it switch the theme always for the account
> console, or perhaps we could also introduce a flag to allow the client to
> control the theme and let account console use a different theme for AIAs.
> Should be noted that this should be planned as follow-up work though and
> not as part of the new account console epic. So would be most likely
> something we couldn't do until next year unless it's not to much work.
>
> On Wed, 28 Aug 2019 at 02:00, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> On 8/27/2019 7:17 AM, Stian Thorgersen wrote:
>> > With regards to security, there's two issues. First if someone gets a
>> hold
>> > of a bearer token they should not be able to hijack someones account.
>> If we
>> > allow a access token to change credentials it is very easy to completely
>> > hijack an account. Secondly as we're talking about an SSO solution it's
>> > important that an app has only access to what it needs to have access
>> to.
>> > That means no applications should have direct access to users
>> credentials,
>> > which they would need to have to be able to update through a REST API.
>> This is the point that we will need to emphasize to users when they
>> first see the new account console.
>>
>> Vaclav is right to point out the awkwardness as it stands right now.  I
>> think that we can smooth things out, but until we do, users need to
>> understand what Stian said above.  Then they will at least know it is
>> for the sake of better security.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list