Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent security flaw using passwordless authentication
If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.
  • Loading branch information
fritterhoff authored and Bruno Oliveira da Silva committed Aug 3, 2021
1 parent b4536a3 commit 65480cb
Showing 1 changed file with 6 additions and 0 deletions.
Expand Up @@ -53,4 +53,10 @@ public Authenticator create(KeycloakSession session) {
public String getId() {
return PROVIDER_ID;
}

@Override
public boolean isUserSetupAllowed() {
return false;
}

}

0 comments on commit 65480cb

Please sign in to comment.