[keycloak-user] Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak

Tomás García tomas at intrahouse.com
Wed Jun 15 16:49:51 EDT 2016


Hi,

In this url:
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003

, it says:

"This form *WILL NOT* re-ask the user to enter in an email or username if
the previous email or username did not exist. You need to prevent attackers
from being able to guess valid users. So, if
AuthenticationFlowContext.getUser() returns null, you should proceed with
the flow to make it look like a valid user was selected."
And I totally agree with that, but it doesn't apply to all cases
unfortunately. If the admin enables "User registration", the user
registration form will tell the a possible malicious guy if the email
combinations she's trying already exists, invalidating what the above
paragraph says. And I don't think there's a way to do the same as in the
"forgot password" feature with the registration form, because after
registration, there's an autologin.

Actually it's confusing for users telling them an email was sent event if
it's not... People sometimes can forget that they're not registered in the
Keycloak system, so the "forgot password" feature as it is today will make
them wait forever. At least, sending them an email telling them "You're not
registered. You can register visiting this link." if "User registration" is
enabled or "Ask your admin to register your email in the system" if it's
not, would be definitely better.

Thanks.

-- 


*Tomás García Pérez*

*Software Developer*

*IntraHouse*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/534cc0dc/attachment.html 


More information about the keycloak-user mailing list