After reset password auto logged in to the system

[veerakishorekallam]

Describe the bug

Hi Team,

After we reset the password user is redirected to home page without asking the login to the system.
Steps to reproduce the issue
1.Click on forgot password
2.Enter email and submit
3.Received the link
4.Click on link
- ( If the keycloak opened in same browser user is auto logged in after set the password)
- ( If the keycloak opened in different browser getting the login form after set the password)
5.Set the new password

Thanks
Veera

Version

16.1.0

Expected behavior

Expected : After change password user should be redirect to login page and enter new password for login.

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

[stianst]

This is expected behaviour and it's pointless to ask the user to enter the password again after they've just reset it.

[mohan-mu]

@stianst That's right, It's a great idea to Redirect to app, after resetting the password.

Just out of curiosity,
What if suppose, someone has to have this behavior (It's common nowadays).

What do you think, is the right way to achieve this?
The intent here is to, look for a way to have this(Not to change keycloak behavior, but rather a question to see a possibility to achieve this)

[eldarj]

Keycloak isn't an application on its own - it doesn't make any sense to say that something is expected behavior when obviously use cases dictate that.

Most applications on the web will request you to login with the newly created password, you can argue that actually, this is the expected behavior.

In either case - this issue should be open really and investigated whether it's feasible to implement a mechanism to easily disable the automatic login if someone would want to do so.

[SergeyZubatkin]

@stianst
Completely agree with you, asking for the password after setting the password is pointless. Why does Keycloak ask to login if user opens email link in new browser? (case 4.2 from original scenario) Is it somehow security related?

[dcruzb]

IMHO it's a valid and very appreciated issue.
The main purpose for me is to enable users to reset their password even if they don't use any system. There is no point in redirecting the user to a page that he is not supposed to have access.

We use this feature to reset ldap password that provides access to many things, but not all users have access to anything outside ldap, and in this case is pointless to redirect the user to a system that he don't have access.

[battosai30]

If you have restriction by role for example, this "auto-login" feature is a safety issue : sventorben/keycloak-restrict-client-auth#121

In my case, for example a user which is not allowed to access to a specific app can't when it uses the standard form. But if he reset its passwors, he can log to the app ... At least it would be great to have a step in flow to logout a user, so we could choose the behaviour.

When you work in a companies or equivalent structure, you have to limit accesses, and not all apps allows to "filter" users from roles. So for me it's a really strategic issue :s

[xgp]

Agreed that asking for the password after setting the password is not necessary. However, this problem also seems to circumvent things like OTP, or other parts of the login authentication flow.

[jordibuj]

My application doesn't allow multiple tabs open, for good reasons. That means, if the user loads the application in another tab, the first one will be kicked out.
Now we are introducing OIDC login with Keycloak, and the reset password flow doesn't play well with this requirement.

1. The user clicks on forgot password link in Keycloak login page
2. Then submits the form with the username
3. The browser goes back to the login page with the message saying the email has been sent, username field is prefilled with the value sent in the previous form, and password field is empty.
4. User receives the email, then clicks on the email link.
5. A second tab is open where the user changes the password.
6. Then, both tabs are allowed in, and one of them fails because of the single tab requirement.

Would it be possible to prevent this behaviour? Either by redefining the reset credentials flow, or by extending the existing one with some custom behaviour?
I'm thinking of preventing the background tab being allowed in, when the password field is empty, and the user is interacting in a different tab, but other solutions would be welcome as well

[prifulnath]

I am facing the same issue as well. I needed to redirect to login page after the password reset.
I think "where to redirect" after login should be configurable from keycloak realm settings itself.

[avpdiver]

Agreed. Same issue.