-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle reset credentials flow with logged in user #29221
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchangeCreateNewUserUsingMappers
org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchange
org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testAccountLinkNoTokenStore
org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient
|
Thanks for the fix. I appreciate that this fix can have good usability for end user. But at the same time, I afraid a bit of the security... As this change pretty much adds SSO logic to reset-credentials flow and allows to bypass the email checks (like My preference is rather more secure approach, which would still require email verification in the reset-credential flow (As email verification is the form of the authentication). We can make sure that SSO authentication is ignored in the forked flow. Maybe some check can be added to Also I guess that WDYT? |
@mposolda Thanks for the review. My idea was to avoid sending the email since there is an existing sso session, but I agree that sending the password reset email is certainly more secure. Currently in the Yes, we could avoid showing |
+1 to do something to make sure that
Yeah, sounds like a good idea. If we can use without introducing authNote, it is always better :-) |
Closes keycloak#8887 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.saml.ArtifactBindingWithResolutionServiceTest#testReceiveArtifactLoginFullWithRedirect
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@graziang Thanks!
Avoid showing
ResetCredentialChooseUser
if SSO session is present.Cookie re-authentication is skipped if the flow is forked, to show 'Email sent" message.
Closes #8887