[keycloak-user] Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak
Bill Burke
bburke at redhat.com
Wed Jun 15 17:12:25 EDT 2016
Feel free to extend the plugin then. :)
On 6/15/16 4:49 PM, Tomás García wrote:
> Hi,
>
> In this url:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003
>
> , it says:
>
> "This form *WILL NOT* re-ask the user to enter in an email or username
> if the previous email or username did not exist. You need to prevent
> attackers from being able to guess valid users. So, if
> AuthenticationFlowContext.getUser() returns null, you should proceed
> with the flow to make it look like a valid user was selected."
>
> And I totally agree with that, but it doesn't apply to all cases
> unfortunately. If the admin enables "User registration", the user
> registration form will tell the a possible malicious guy if the email
> combinations she's trying already exists, invalidating what the above
> paragraph says. And I don't think there's a way to do the same as in the
> "forgot password" feature with the registration form, because after
> registration, there's an autologin.
>
> Actually it's confusing for users telling them an email was sent event
> if it's not... People sometimes can forget that they're not registered
> in the Keycloak system, so the "forgot password" feature as it is today
> will make them wait forever. At least, sending them an email telling
> them "You're not registered. You can register visiting this link." if
> "User registration" is enabled or "Ask your admin to register your email
> in the system" if it's not, would be definitely better.
>
> Thanks.
>
> --
>
> *Tomás García Pérez
> *
>
> *Software Developer*
>
> *IntraHouse*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list