Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

Not sure if the area selected is correct

While it was not possible to use the "Link to reset credentials" after the password had been reset successfully, it was possible to change the password a second time if the link was opened in two browsers before the password reset was finished. (This was found in an older version 24.x but also tested in 26.1.1.)

Example link:
http://localhost:8081/realms/master/login-actions/action-token?key=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4NDMxNjMyZS1lOTc0LTQ3ZWYtYWVhZS01NjM4NDJmZTJhNWIifQ.eyJleHAiOjE3MzkyNzA1MTUsImlhdCI6MTczOTI3MDIxNSwianRpIjoiNWZlMzQxZjItMWU4MS00YTM3LTgzNDYtODFmM2VmYWI5OWE5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvcmVhbG1zL21hc3RlciIsInN1YiI6IjcyMjQwYjY5LWNiNTUtNDYzZC1hNWExLWUyOTU1YjM4MTgxOCIsInR5cCI6InJlc2V0LWNyZWRlbnRpYWxzIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsIm5vbmNlIjoiNWZlMzQxZjItMWU4MS00YTM3LTgzNDYtODFmM2VmYWI5OWE5IiwiYXNpZCI6ImFhZWM3ZmVmLTQ4MzAtNGI3Zi04YTI5LTI5ODAwZGYwZWU4ZS5ZdjNLUE5pY3pnWS5iNTFhMTM3My1mM2ViLTRlN2YtYjVkZS0zYWEwYmIzZWRhZTUiLCJlbWwiOiJ0ZXN0QHRlc3QuZGUifQ.pD4hZLwuvXfPU5Fr7Q90-0yJySBkUDnPULAq3gg2paBSIf5wO8ctt5mNKyMDnX7iGPDHL8gD1i6CHJJrf2uYig&execution=50decf3d-22af-4f31-8bc3-df061016277a&client_id=security-admin-console&tab_id=Yv3KPNiczgY&client_data=eyJydSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MS9hZG1pbi9tYXN0ZXIvY29uc29sZS8jL3Rlc3QvY2xpZW50cy9hY2ExYTQ3NC0yZjQzLTQ1ZWUtYjU4NS03Yzg1NzhhZTZkZWYvY3JlZGVudGlhbHMiLCJydCI6ImNvZGUiLCJybSI6InF1ZXJ5Iiwic3QiOiJjMjNmODc3Yi0xYmY1LTQ5ODYtODg3OS04ZTczZDI0YzVlMjYifQ

Version

26.1.1

Regression

• The issue is a regression

Expected behavior

It should not be possible to change the password more than once with the same reset link.

Actual behavior

It appears that the JWT in the password reset link is invalidated after the password is updated. However, if the link is accessed twice before the password reset is finished, both sessions remain active and it is possible to change the password in both sessions. (As long as the JWT in the link is not expired.)

How to Reproduce?

1. Create a user and set an email address.
2. Enable the "Forgot password" function.
3. Start a login and select forgot password.
4. Enter the username.
5. Open the reset link in two different browser sessions.
   1. Change the password in one session -> login with the new password
      is successful.
   2. Afterwards change the password in the second session -> login with
      even newer password is successful.

Anything else?

Countermeasure

We think that the JWT should be send with the final request in the process. Keycloak should validate the JWT when the password change is actually performed and afterwards it should get invalidated.