[keycloak-user] Issues with password reset link expiration

Bill Burke bburke at redhat.com
Wed Feb 10 09:15:48 EST 2016 

I think this may have been fixed in 1.9 with the flow changes I made.  I 
don't have time to try it out right now though.

On 2/10/2016 8:58 AM, Stian Thorgersen wrote:
> It's not about the error message though. It should be possible to open 
> the link multiple times as long as the form is not submitted.
>
> On 10 February 2016 at 14:53, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     We changed the "error" message in I think 1.9?  Maybe 1.8 to say
>     "You clicked on a stale link.  Maybe you have already verified
>     your email?"  I'll look into improving this I guess.
>
>
>     On 2/10/2016 4:21 AM, Stian Thorgersen wrote:
>>     It should be possible to open the link multiple times, but only
>>     submit the password reset once. If that's not the case (sounds
>>     like it is) feel free to create a JIRA issue to report this as a bug.
>>
>>     On 10 February 2016 at 05:24, Michael Anthon
>>     <michael.anthon at infoview.com.au
>>     <mailto:michael.anthon at infoview.com.au>> wrote:
>>
>>         We are having issues with some users when they are attempting
>>         to use the password reset feature.  It does work for most
>>         users however for some they always end up at an error page
>>         saying "WE'RE SORRY ... An error occurred, please login again
>>         through your application"
>>
>>         What I have been able to determine so far is that for the
>>         affected users we are seeing a double hit on that URL in the
>>         server logs and from what I understand, these reset URLs are
>>         invalidated as soon as they are accessed.
>>
>>         So here's the state of play
>>         * works for most users
>>         * some users hitting the reset URL twice
>>         * URL is only valid for the first access (I'm not 100% sure
>>         about this, can someone confirm please?)
>>         * URL is only valid for 30 minutes (but is being accessed
>>         within a few minutes of generation)
>>         * affected users are mostly using Outlook
>>         * some people tend to double click links in emails but I've
>>         verified with a reliable user that they are only clicking the
>>         link once
>>         * having the affected person send themselves another reset
>>         email and then copy and paste the URL from the mail client
>>         usually resolves this problem
>>
>>         And questions
>>         * is this an issue anyone else has noticed with Outlook,
>>         doesn't affect ALL Outlook users, just some
>>         * is there a way to prevent the URL from being invalidated on
>>         initial access
>>         * is it feasible to change the behavior so that the URL is
>>         only invalidated when the password is changed
>>         * any other thoughts on how to avoid this issue?
>>
>>         Thanks and Regards,
>>
>>         Michael Anthon
>>         InfoView Technologies Pty Ltd
>>         12/15 Adelaide St, Brisbane Qld 4000
>>         P O Box 15478, City East, Brisbane Qld 4000
>>         PH: +61 7 3014 2204 <tel:%2B61%207%203014%202204>
>>         F: +61 7 3014 2200 <tel:%2B61%207%203014%202200>
>>         M: +61 408 768 055 <tel:%2B61%20408%20768%20055>
>>         michael.anthon at infoview.com.au
>>         <mailto:michael.anthon at infoview.com.au>
>>
>>         The information transmitted is intended only for the person
>>         or entity to which it is addressed and may contain
>>         confidential and/or privileged material. Any review,
>>         retransmission, dissemination or other use of, or taking of
>>         any action in reliance upon, this information by persons or
>>         entities other than the intended recipient is prohibited. If
>>         you received this in error, please contact the sender and
>>         delete the material from any computer. Any views or opinions
>>         expressed in this email are solely those of the author and do
>>         not necessarily represent those of InfoView Technologies Pty Ltd.
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/08cd7be0/attachment.html

More information about the keycloak-user mailing list