[keycloak-user] Login user action lifespan
Stian Thorgersen
stian at redhat.com
Thu Jul 16 08:32:54 EDT 2015
Can you create a JIRA for this please?
----- Original Message -----
> From: "Niko Köbler" <niko at n-k.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:30:31 PM
> Subject: Re: [keycloak-user] Login user action lifespan
>
> sorry, I forgot to mention this step, I actually changed the password (set it
> the first time)
>
> In the meantime I tried this loop (click link in mail, change password, log
> in) more than 5 times… it still works!
>
>
> > Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
> >
> >
> >
> > ----- Original Message -----
> >> From: "Niko Köbler" <niko at n-k.de>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-user at lists.jboss.org
> >> Sent: Thursday, 16 July, 2015 2:24:40 PM
> >> Subject: Re: [keycloak-user] Login user action lifespan
> >>
> >> We are still on 1.2.0
> >>
> >> Steps to reproduce:
> >> - create a user via Admin API
> >> - trigger to send the password-reset mail via Admin API
> >> - click on the link in the mail to set the password
> >> - try to log in -> works
> >
> > Have you actually changed the password here, or just log in?
> >
> >> - go back to your mails, click again on the password-reset link in the
> >> mail
> >> - change your password
> >> - try to log in with old password -> doesn’t work
> >> - try to log in with new password -> works
> >> - and so on…
> >>
> >>
> >>
> >>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
> >>>
> >>> That's definitively not correct behavior. What version are you on? Can
> >>> you
> >>> give me exact steps to reproduce?
> >>>
> >>> ----- Original Message -----
> >>>> From: "Niko Köbler" <niko at n-k.de>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-user at lists.jboss.org
> >>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
> >>>> Subject: Re: [keycloak-user] Login user action lifespan
> >>>>
> >>>> It is valid.
> >>>> I can change my password again and again…
> >>>>
> >>>>
> >>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
> >>>>>
> >>>>> Does it seem that it is valid, or is it valid? It should only be usable
> >>>>> once.
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Niko Köbler" <niko at n-k.de>
> >>>>>> To: keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
> >>>>>> Subject: [keycloak-user] Login user action lifespan
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> you can set the „login user action lifespan“ in realm settings for the
> >>>>>> time
> >>>>>> the link is valid for a user to set a password (or other tasks).
> >>>>>> This link seems to be valid and working even if the user has clicked
> >>>>>> on
> >>>>>> it
> >>>>>> and has done the tasks.
> >>>>>>
> >>>>>> Is it possible to configure this link to be valid only once during its
> >>>>>> lifespan ? Or at least to be invalid as soon the user has set his
> >>>>>> password/done the login actions?
> >>>>>> Otherwise this link could be used to change the password again, after
> >>>>>> the
> >>>>>> user has already set his password - possibly from third persons who
> >>>>>> got
> >>>>>> known of this link. May be a security issue?
> >>>>>>
> >>>>>> Thanks & regards,
> >>>>>> - Niko
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>>
> >>
> >>
>
>
More information about the keycloak-user
mailing list