Replies: 1 comment 1 reply
-
It's not a security vulnerability directly, but sure I can see that you would want to not allow users from being able to add a password. That should be possible to achieve by not giving the users from an identity provider manage-account access. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
Maybe there is a simple solution for this topic, we couldn't find, but isn't it true, that a user which comes from an identity provider and has once logged in, can go to his account page and change his password (if the account client is enabled) and this makes him a local Keycloak user? In the meantime, he could be deleted from the central identity provider and therefore shouldn't have access anymore, but as he changed his password (and now has a local password) he still has access?
Of course, it is possible to disable the account client, so he cannot change his password, but for a scenario where there are local users and users from an identity provider, I would disable this feature also for the local users - which obviously I don't want.
Do you have any thought on this, or ideas, on how to solve the issue?
Beta Was this translation helpful? Give feedback.
All reactions