[keycloak-user] Issues with password reset link expiration
Stian Thorgersen
sthorger at redhat.com
Fri Feb 12 02:56:20 EST 2016
Great, thanks for the update
On 12 February 2016 at 08:44, Michael Anthon <michael.anthon at infoview.com.au
> wrote:
> We have verified that the behavior is correct in 1.9.0.CR1.
>
>
>
> Cheers,
>
> Michael
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Michael Anthon
> *Sent:* Thursday, 11 February 2016 2:42 PM
> *To:* keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Issues with password reset link expiration
>
>
>
> Thanks for the replies, I forgot to mention we are currently on
> 1.6.1.Final however we do have a test setup where we can run an upgrade and
> check this out.
>
>
>
> Will try that and report back and/or create a ticket as required.
>
>
>
> Cheers,
>
> Michael
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com <sthorger at redhat.com>]
>
> *Sent:* Thursday, 11 February 2016 12:26 AM
> *To:* Bill Burke <bburke at redhat.com>; Michael Anthon <
> michael.anthon at infoview.com.au>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Issues with password reset link expiration
>
>
>
> Michael,
>
>
>
> Can you confirm if this issue still exists on 1.9.0.CR1 and if it does
> create a JIRA issue?
>
>
>
> On 10 February 2016 at 15:15, Bill Burke <bburke at redhat.com> wrote:
>
> I think this may have been fixed in 1.9 with the flow changes I made. I
> don't have time to try it out right now though.
>
>
>
> On 2/10/2016 8:58 AM, Stian Thorgersen wrote:
>
> It's not about the error message though. It should be possible to open the
> link multiple times as long as the form is not submitted.
>
>
>
> On 10 February 2016 at 14:53, Bill Burke <bburke at redhat.com> wrote:
>
> We changed the "error" message in I think 1.9? Maybe 1.8 to say "You
> clicked on a stale link. Maybe you have already verified your email?"
> I'll look into improving this I guess.
>
>
>
> On 2/10/2016 4:21 AM, Stian Thorgersen wrote:
>
> It should be possible to open the link multiple times, but only submit the
> password reset once. If that's not the case (sounds like it is) feel free
> to create a JIRA issue to report this as a bug.
>
>
>
> On 10 February 2016 at 05:24, Michael Anthon <
> michael.anthon at infoview.com.au> wrote:
>
> We are having issues with some users when they are attempting to use the
> password reset feature. It does work for most users however for some they
> always end up at an error page saying "WE'RE SORRY ... An error occurred,
> please login again through your application"
>
> What I have been able to determine so far is that for the affected users
> we are seeing a double hit on that URL in the server logs and from what I
> understand, these reset URLs are invalidated as soon as they are accessed.
>
> So here's the state of play
> * works for most users
> * some users hitting the reset URL twice
> * URL is only valid for the first access (I'm not 100% sure about this,
> can someone confirm please?)
> * URL is only valid for 30 minutes (but is being accessed within a few
> minutes of generation)
> * affected users are mostly using Outlook
> * some people tend to double click links in emails but I've verified with
> a reliable user that they are only clicking the link once
> * having the affected person send themselves another reset email and then
> copy and paste the URL from the mail client usually resolves this problem
>
> And questions
> * is this an issue anyone else has noticed with Outlook, doesn't affect
> ALL Outlook users, just some
> * is there a way to prevent the URL from being invalidated on initial
> access
> * is it feasible to change the behavior so that the URL is only
> invalidated when the password is changed
> * any other thoughts on how to avoid this issue?
>
> Thanks and Regards,
>
> Michael Anthon
> InfoView Technologies Pty Ltd
> 12/15 Adelaide St, Brisbane Qld 4000
> P O Box 15478, City East, Brisbane Qld 4000
> PH: +61 7 3014 2204
> F: +61 7 3014 2200
> M: +61 408 768 055
> michael.anthon at infoview.com.au
>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and delete the material from any
> computer. Any views or opinions expressed in this email are solely those of
> the author and do not necessarily represent those of InfoView Technologies
> Pty Ltd.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> Bill Burke
>
> JBoss, a division of Red Hat
>
> http://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> --
>
> Bill Burke
>
> JBoss, a division of Red Hat
>
> http://bill.burkecentral.com
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/8f47a215/attachment.html
More information about the keycloak-user
mailing list