[keycloak-user] Issues with password reset link expiration

Stian Thorgersen sthorger at redhat.com
Wed Feb 10 09:25:57 EST 2016 

Michael,

Can you confirm if this issue still exists on 1.9.0.CR1 and if it does
create a JIRA issue?

On 10 February 2016 at 15:15, Bill Burke <bburke at redhat.com> wrote:

> I think this may have been fixed in 1.9 with the flow changes I made.  I
> don't have time to try it out right now though.
>
>
> On 2/10/2016 8:58 AM, Stian Thorgersen wrote:
>
> It's not about the error message though. It should be possible to open the
> link multiple times as long as the form is not submitted.
>
> On 10 February 2016 at 14:53, Bill Burke <bburke at redhat.com> wrote:
>
>> We changed the "error" message in I think 1.9?  Maybe 1.8 to say "You
>> clicked on a stale link.  Maybe you have already verified your email?"
>> I'll look into improving this I guess.
>>
>>
>> On 2/10/2016 4:21 AM, Stian Thorgersen wrote:
>>
>> It should be possible to open the link multiple times, but only submit
>> the password reset once. If that's not the case (sounds like it is) feel
>> free to create a JIRA issue to report this as a bug.
>>
>> On 10 February 2016 at 05:24, Michael Anthon <
>> <michael.anthon at infoview.com.au>michael.anthon at infoview.com.au> wrote:
>>
>>> We are having issues with some users when they are attempting to use the
>>> password reset feature.  It does work for most users however for some they
>>> always end up at an error page saying "WE'RE SORRY ... An error occurred,
>>> please login again through your application"
>>>
>>> What I have been able to determine so far is that for the affected users
>>> we are seeing a double hit on that URL in the server logs and from what I
>>> understand, these reset URLs are invalidated as soon as they are accessed.
>>>
>>> So here's the state of play
>>> * works for most users
>>> * some users hitting the reset URL twice
>>> * URL is only valid for the first access (I'm not 100% sure about this,
>>> can someone confirm please?)
>>> * URL is only valid for 30 minutes (but is being accessed within a few
>>> minutes of generation)
>>> * affected users are mostly using Outlook
>>> * some people tend to double click links in emails but I've verified
>>> with a reliable user that they are only clicking the link once
>>> * having the affected person send themselves another reset email and
>>> then copy and paste the URL from the mail client usually resolves this
>>> problem
>>>
>>> And questions
>>> * is this an issue anyone else has noticed with Outlook, doesn't affect
>>> ALL Outlook users, just some
>>> * is there a way to prevent the URL from being invalidated on initial
>>> access
>>> * is it feasible to change the behavior so that the URL is only
>>> invalidated when the password is changed
>>> * any other thoughts on how to avoid this issue?
>>>
>>> Thanks and Regards,
>>>
>>> Michael Anthon
>>> InfoView Technologies Pty Ltd
>>> 12/15 Adelaide St, Brisbane Qld 4000
>>> P O Box 15478, City East, Brisbane Qld 4000
>>> PH:          +61 7 3014 2204 <%2B61%207%203014%202204>
>>> F:             +61 7 3014 2200 <%2B61%207%203014%202200>
>>> M:           +61 408 768 055 <%2B61%20408%20768%20055>
>>> michael.anthon at infoview.com.au
>>>
>>> The information transmitted is intended only for the person or entity to
>>> which it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of, or
>>> taking of any action in reliance upon, this information by persons or
>>> entities other than the intended recipient is prohibited. If you received
>>> this in error, please contact the sender and delete the material from any
>>> computer. Any views or opinions expressed in this email are solely those of
>>> the author and do not necessarily represent those of InfoView Technologies
>>> Pty Ltd.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/4e6c60d0/attachment-0001.html

More information about the keycloak-user mailing list