[keycloak-user] Forgot password does not verify the account

Jonathan Little rationull at gmail.com
Thu May 11 12:01:47 EDT 2017


I'm not really in the know about this stuff, but I'd guess that's by
design. If the recovery process gave an error message for unregistered
email addresses, then that would provide a way for an attacker to find out
whether or not a given email address is registered in the service.

On Thu, May 11, 2017 at 6:47 AM, <tecnologia at growingup.com.co> wrote:

> The password remembering option is not validating that the email is
> registered.
>
>
>
> The expected result is that you do not use an unregistered email, you get
> an
> error message
>
>
>
> Always confirms, even when the account does not exist.
>
>
>
>
>
> --
>
>
>
> Jairo Henao Rojas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list