svenseeberg
commented
5 days ago Wasnt that fixed upstream?
Closed melegiul closed 3 days ago
svenseeberg
commented
5 days ago Wasnt that fixed upstream?
melegiul
commented
3 days ago I don't know. But as we can't control how Keycloak handles it's password reset action token, we can't do much here. This might have been a keycloak bug though, because the password reset action token handler is never expected to accept the same token more than once. https://github.com/keycloak/keycloak/blob/a7ae90cbb62820b80dbc21a1898d330e535154cf/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java#L77
After clicking the link of the password reset email, sometimes multiple SMS codes are submitted.
Maybe related to: https://github.com/netzbegruenung/keycloak-2fa-sms-authenticator/issues/30