-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After reset password auto logged in to the system #10878
Comments
This is expected behaviour and it's pointless to ask the user to enter the password again after they've just reset it. |
@stianst That's right, It's a great idea to Redirect to app, after resetting the password. Just out of curiosity, What do you think, is the right way to achieve this? |
Keycloak isn't an application on its own - it doesn't make any sense to say that something is expected behavior when obviously use cases dictate that. Most applications on the web will request you to login with the newly created password, you can argue that actually, this is the expected behavior. In either case - this issue should be open really and investigated whether it's feasible to implement a mechanism to easily disable the automatic login if someone would want to do so. |
@stianst |
IMHO it's a valid and very appreciated issue. We use this feature to reset ldap password that provides access to many things, but not all users have access to anything outside ldap, and in this case is pointless to redirect the user to a system that he don't have access. |
If you have restriction by role for example, this "auto-login" feature is a safety issue : sventorben/keycloak-restrict-client-auth#121 In my case, for example a user which is not allowed to access to a specific app can't when it uses the standard form. But if he reset its passwors, he can log to the app ... At least it would be great to have a step in flow to logout a user, so we could choose the behaviour. When you work in a companies or equivalent structure, you have to limit accesses, and not all apps allows to "filter" users from roles. So for me it's a really strategic issue :s |
Agreed that asking for the password after setting the password is not necessary. However, this problem also seems to circumvent things like OTP, or other parts of the login authentication flow. |
My application doesn't allow multiple tabs open, for good reasons. That means, if the user loads the application in another tab, the first one will be kicked out.
Would it be possible to prevent this behaviour? Either by redefining the reset credentials flow, or by extending the existing one with some custom behaviour? |
I am facing the same issue as well. I needed to redirect to login page after the password reset. |
Agreed. Same issue. |
Describe the bug
Hi Team,
After we reset the password user is redirected to home page without asking the login to the system.
Steps to reproduce the issue
1.Click on forgot password
2.Enter email and submit
3.Received the link
4.Click on link
- ( If the keycloak opened in same browser user is auto logged in after set the password)
- ( If the keycloak opened in different browser getting the login form after set the password)
5.Set the new password
Thanks
Veera
Version
16.1.0
Expected behavior
Expected : After change password user should be redirect to login page and enter new password for login.
Actual behavior
No response
How to Reproduce?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: