Open bf opened 1 year ago
Action token lifetime (e.g. for email verification) can be configured by the Keycloak admin on their instance per realm. @bf But I assume you want the default (which is 5 minutes) to be increased?
@MiGrandjean thanks for your quick reply.
I know admins can increase actionTokenGeneratedByUserLifespan
in their config (see example), but I was really wondering why this default was chosen.
I don't see security benefit of 5min vs. 20min expiry when it enables greylisting for client mailservers. Maybe I'm missing something?
More background: The greylisting only kicks in when the mailserver receives first email from that host. But obviously this coincides with the whole sign-up flow to a new website where keycloak is utilized ;-)
This is not a bug, but rather enhancement request.
I suggest to start discussion in https://github.com/keycloak/keycloak/discussions to receive some more feedback. We can increase a default if this is really a problem for most of the administrators. I personally see 20 minutes as unnecessary long, but I am rather from the "development" world and may not see the issues, which typical administrators are seeing in their deployments :-) Also we can possibly inspire what typical servers are using as timeouts nowadays.
Before reporting an issue
Area
authentication
Describe the bug
As a security professional, I don't see benefit of verification emails expiring after 5 minutes. As a user, I encounter expired links due to greylisting by my email server.
An increase from "5 minutes" expiry to "20 minutes expiry" would resolve such issues.
Background:
I signed up using Github SSO for the keycloak instance used for "Arch Kinux SSO".
Due to grey listing by my mail server, I received the email message only with 10 minutes delay. Greylisting is common anti-spam technique, wikipedia article mentions that many systems even use a 15 minute greylisting delay.
This means, as soon as I receive the email the link is already expired.
This is the email sent out by keycloak:
Version
latest
Expected behavior
Link not expired once it reaches a greylisting email server's inbox
Actual behavior
Link is expired as soon as inbox is reached
How to Reproduce?
Sign up to archlinux sso using github sso and use a mailserver from mailinabox which has greylisting enabled per default.
Anything else?
Wikipedia article which underlines that greylisting time of up to 15 minutes is generally accepted: https://en.wikipedia.org/wiki/Greylisting_(email)
Keycloak should improve usability for such users, because security benefits of 5 minutes email expiry is very small.