Reputation: 437
How to protect a website managed by keycloak from abusing the "forget password" as a way to spam a user?
I'm working on a website that will be managed by keycloak, there is an option to configure a realm to have a "forget password" functionality.
My question is how to protect against the option of abusing the "forget password" option by sending multiple requests and spamming a user ?
I was checking KeyCloak forums and documentation but couldn't find any information about it. any help will be much appreciated.
Upvotes: 2
Views: 1227
Answers (1)
Reputation: 31649
There's currently no way of doing this, as far as I know, unless you write some rule in your smtp server for stopping the server sending mails to the same user beyond a concrete threshold in a time interval. There are some plans to include a captcha in the flow, for the 5.x version, though.
Upvotes: 1
Related Questions
- Provide "Forgot Password" feature in Keycloak to certain users only
- Keycloak: Disable redirect to account page after password reset and show message
- Redirect Keycloak to Custom Forgot Password
- Keycloak password reset email custom link
- Prevent brute-force detection for certain users in keycloak
- Keycloak - require user to set password after email verification
- Send password forgotten mail
- KeyCloak Forgot password Email link
- Keycloak: Temporary and permanent lockout of user
- Keycloak secure user registration