search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.33k stars 6.62k forks source link

"E-Mail Verification" email should not expire after 5 minutes #17363

Open bf opened 1 year ago

bf commented 1 year ago

Before reporting an issue

Area

authentication

Describe the bug

As a security professional, I don't see benefit of verification emails expiring after 5 minutes. As a user, I encounter expired links due to greylisting by my email server.

An increase from "5 minutes" expiry to "20 minutes expiry" would resolve such issues.

Background:

I signed up using Github SSO for the keycloak instance used for "Arch Kinux SSO".

Due to grey listing by my mail server, I received the email message only with 10 minutes delay. Greylisting is common anti-spam technique, wikipedia article mentions that many systems even use a 15 minute greylisting delay.

This means, as soon as I receive the email the link is already expired.

This is the email sent out by keycloak:

Someone has created an Arch Linux account using this email address. If this was you, click the link below to verify your email address

Link to e-mail address verification

This link will expire within 5 minutes.

If you didn't create this account, just ignore this message.

Version

latest

Expected behavior

Link not expired once it reaches a greylisting email server's inbox

Actual behavior

Link is expired as soon as inbox is reached

How to Reproduce?

Sign up to archlinux sso using github sso and use a mailserver from mailinabox which has greylisting enabled per default.

Anything else?

Wikipedia article which underlines that greylisting time of up to 15 minutes is generally accepted: https://en.wikipedia.org/wiki/Greylisting_(email)

Keycloak should improve usability for such users, because security benefits of 5 minutes email expiry is very small.

MiGrandjean commented 1 year ago

Action token lifetime (e.g. for email verification) can be configured by the Keycloak admin on their instance per realm. @bf But I assume you want the default (which is 5 minutes) to be increased?

bf commented 1 year ago

@MiGrandjean thanks for your quick reply.

I know admins can increase actionTokenGeneratedByUserLifespan in their config (see example), but I was really wondering why this default was chosen.

I don't see security benefit of 5min vs. 20min expiry when it enables greylisting for client mailservers. Maybe I'm missing something?

bf commented 1 year ago

More background: The greylisting only kicks in when the mailserver receives first email from that host. But obviously this coincides with the whole sign-up flow to a new website where keycloak is utilized ;-)

mposolda commented 1 year ago

This is not a bug, but rather enhancement request.

I suggest to start discussion in https://github.com/keycloak/keycloak/discussions to receive some more feedback. We can increase a default if this is really a problem for most of the administrators. I personally see 20 minutes as unnecessary long, but I am rather from the "development" world and may not see the issues, which typical administrators are seeing in their deployments :-) Also we can possibly inspire what typical servers are using as timeouts nowadays.