Hello, I have a keycloak (18.x) installation and some saml applications that use it with no problem. My seurity people told me that when the user click on the reset password link in the login page and the receive an e-mail with the token in the link someone could read some data in that token in example the email of the user.
Is there a way to encrypt the whole token in the link in order to hide those data ot at least how to cut out che e-mail field?
I read in the documentation but is a bit difficult to understand and I don’t understood what is the client where I have to modify something in order to obtain encryption for the token.
Thank you in advance.
Seems like someone blindly did some checks on the content.
The same email is available in the email itself (it is the recipient of this email). So encrypting the toke n would not help anyway. And the token is already encrypted. If some adversary gets hold of the email (before the legitimate user), he could reset the password anyway and gain access to the account. So if you need a high level of security you will need to disable the password reset anyway or configure it to require a second factor).
No no I want to encrypt the token, I think it’s possible reading the documentation but it is not so clear. So the response is not disable the reset password function but how to encrypt the token.
To explain well the problem when I take the tokenId part of the link I received via e-mail and put it in the site https://token.dev/ I can see in the payload the e-mail address of the user that requested reset email. The ecurity people adviced me to encrypt the tokenID beacuse those information can stay in a proxy or copied everywhere.