[keycloak-user] Issues with password reset link expiration
Bill Burke
bburke at redhat.com
Wed Feb 10 08:53:52 EST 2016
We changed the "error" message in I think 1.9? Maybe 1.8 to say "You
clicked on a stale link. Maybe you have already verified your email?"
I'll look into improving this I guess.
On 2/10/2016 4:21 AM, Stian Thorgersen wrote:
> It should be possible to open the link multiple times, but only submit
> the password reset once. If that's not the case (sounds like it is)
> feel free to create a JIRA issue to report this as a bug.
>
> On 10 February 2016 at 05:24, Michael Anthon
> <michael.anthon at infoview.com.au
> <mailto:michael.anthon at infoview.com.au>> wrote:
>
> We are having issues with some users when they are attempting to
> use the password reset feature. It does work for most users
> however for some they always end up at an error page saying "WE'RE
> SORRY ... An error occurred, please login again through your
> application"
>
> What I have been able to determine so far is that for the affected
> users we are seeing a double hit on that URL in the server logs
> and from what I understand, these reset URLs are invalidated as
> soon as they are accessed.
>
> So here's the state of play
> * works for most users
> * some users hitting the reset URL twice
> * URL is only valid for the first access (I'm not 100% sure about
> this, can someone confirm please?)
> * URL is only valid for 30 minutes (but is being accessed within a
> few minutes of generation)
> * affected users are mostly using Outlook
> * some people tend to double click links in emails but I've
> verified with a reliable user that they are only clicking the link
> once
> * having the affected person send themselves another reset email
> and then copy and paste the URL from the mail client usually
> resolves this problem
>
> And questions
> * is this an issue anyone else has noticed with Outlook, doesn't
> affect ALL Outlook users, just some
> * is there a way to prevent the URL from being invalidated on
> initial access
> * is it feasible to change the behavior so that the URL is only
> invalidated when the password is changed
> * any other thoughts on how to avoid this issue?
>
> Thanks and Regards,
>
> Michael Anthon
> InfoView Technologies Pty Ltd
> 12/15 Adelaide St, Brisbane Qld 4000
> P O Box 15478, City East, Brisbane Qld 4000
> PH: +61 7 3014 2204 <tel:%2B61%207%203014%202204>
> F: +61 7 3014 2200 <tel:%2B61%207%203014%202200>
> M: +61 408 768 055 <tel:%2B61%20408%20768%20055>
> michael.anthon at infoview.com.au <mailto:michael.anthon at infoview.com.au>
>
> The information transmitted is intended only for the person or
> entity to which it is addressed and may contain confidential
> and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance
> upon, this information by persons or entities other than the
> intended recipient is prohibited. If you received this in error,
> please contact the sender and delete the material from any
> computer. Any views or opinions expressed in this email are solely
> those of the author and do not necessarily represent those of
> InfoView Technologies Pty Ltd.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/91f5b410/attachment.html
More information about the keycloak-user
mailing list