[keycloak-user] Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak
Tomás García
tomas at intrahouse.com
Wed Jun 15 19:01:39 EDT 2016
Yes, we already did our own authentication flow here a couple of weeks
ago, but I decided today to communicate this situation.
The question is that part of the documentation should be clarified,
because at least I was confused after I saw the inconsistency
when seeing the behaviour of the registration form: A malicious user
will still be capable of guessing valid users, so it's something that
should
be warned to developers / admins.
(Sorry I activated the digest mode of the mailing list and I don't
really know how to properly reply to a thread without receiving the
original email)
------------------
Feel free to extend the plugin then. :)
On 6/15/16 4:49 PM, Tomás García wrote:
>* Hi,
*>>* In this url:
*>* http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003
<http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003>
*>>* , it says:
*>>* "This form *WILL NOT* re-ask the user to enter in an email or username
*>* if the previous email or username did not exist. You need to prevent
*>* attackers from being able to guess valid users. So, if
*>* AuthenticationFlowContext.getUser() returns null, you should proceed
*>* with the flow to make it look like a valid user was selected."
*>>* And I totally agree with that, but it doesn't apply to all cases
*>* unfortunately. If the admin enables "User registration", the user
*>* registration form will tell the a possible malicious guy if the email
*>* combinations she's trying already exists, invalidating what the above
*>* paragraph says. And I don't think there's a way to do the same as in the
*>* "forgot password" feature with the registration form, because after
*>* registration, there's an autologin.
*>>* Actually it's confusing for users telling them an email was sent event
*>* if it's not... People sometimes can forget that they're not registered
*>* in the Keycloak system, so the "forgot password" feature as it is today
*>* will make them wait forever. At least, sending them an email telling
*>* them "You're not registered. You can register visiting this link." if
*>* "User registration" is enabled or "Ask your admin to register your email
*>* in the system" if it's not, would be definitely better.
*>>* Thanks.
*>>* --
*>>* *Tomás García Pérez
*>* *
*>>* *Software Developer*
*>>* *IntraHouse*
*>>>>* _______________________________________________
*>* keycloak-user mailing list
*>* keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>* https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>
--
*Tomás García Pérez*
*Software Developer*
IntraHouse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160616/af9c0c4c/attachment.html
More information about the keycloak-user
mailing list