Hi, On Tue, Jun 14, 2016 at 12:19 AM, Gayan Gunawardana <[email protected]> wrote:
> Hi Isura, > > I have few suggestions. > > [1] At the end of both flaws (Recover with Notification, Recover with > Secret Questions) is it possible to send notification (acknowledgment) to > end user to inform about password update. This will give good experience to > end user and on the other hand biggest problem with "Recover with Secret > Questions" is someone else can guess answers for security questions so > sending notification at the end of password recovery is important. > This is already done. If you reest a password, you will get a notificatoin saying "Your password is successfully reset" > > [2] How can we support custom flaws ? For an example > > intiateUserChallengeQuestion() > verifyUserChallengeAnswer() > sendRecoveryNotification() > updatePassword() > Currenlty, we don't support custom flows. > > [3] What are the extension points we have for this implementation ? For an > example, Instead of sending recovery notification via email user need to > enter pin which is sent to his mobile. > Notificaton sending has the extentison points to support SMS based recovery. Thanks Isura > > Thanks, > Gayan > > > On Thu, Jun 9, 2016 at 11:06 AM, Isura Karunaratne <[email protected]> wrote: > >> Hi, >> >> On Thu, Jun 9, 2016 at 10:53 AM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> Hi Isura, >>> >>> Any detail about the error response with relevant error codes ? >>> >> >> We have developed error codes for relevant error scenarios, I will update >> the docs with error code. >> >> >>> >>> >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>> * <http://www.apache.org/>* >>> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>> *harshathirimannlinked-in: **http: >>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>> >>> *Lean . Enterprise . Middleware* >>> >>> >>> On Thu, Jun 9, 2016 at 10:46 AM, Dilan Udara Ariyaratne <[email protected] >>> > wrote: >>> >>>> Hi Isura, >>>> >>>> According to the REST API Guidelines that we have defined across all >>>> the products, >>>> following suggestions can be made regarding the resource paths that you >>>> have proposed. >>>> >>>> [1] Base-path "accountrecovery" has two words in it and they can be >>>> separated by a dash, i.e. as "account-recovery". >>>> [2] It seems that path "rest" does not make any sense as a resource, so >>>> it can be removed. >>>> [3] Also, all the underscore signs included in processiong-functions >>>> like "reset_password" and resource-paths like "security_questions_response" >>>> could be replaced with a dash (-). >>>> >>> >> Thanks for the infomation. I will modify the apis based on your >> suggetions. >> >> Thanks >> Isura >> >>> >>>> Regards, >>>> Dilan. >>>> >>>> *Dilan U. Ariyaratne* >>>> Senior Software Engineer >>>> WSO2 Inc. <http://wso2.com/> >>>> Mobile: +94766405580 <%2B94766405580> >>>> lean . enterprise . middleware >>>> >>>> >>>> On Wed, Jun 8, 2016 at 1:02 PM, Isura Karunaratne <[email protected]> >>>> wrote: >>>> >>>>> Identity Management Recovery API improvements. >>>>> >>>>> In Identity Server 5.3.0, we are going to implement Identity >>>>> Management recovery APIs as rest resources. In current implementations of >>>>> IS5.0.0, IS5.1.0 we have soap APIs for recovery scenarios. [1]. >>>>> >>>>> Captcha validation is coupled with recovery flows in existing soap API >>>>> implementation and we have improved Java API to decouple to the captcha >>>>> validation from recovery flows in new implementations. [4] >>>>> Existing soap APIs.Recover with Notification [2] >>>>> >>>>> - >>>>> >>>>> getCaptcha() - Generates a captcha. >>>>> - >>>>> >>>>> verifyUser() - Validates the captcha answer and username and >>>>> returns a new key. >>>>> - >>>>> >>>>> sendRecoveryNotification() - Send an email notification with a >>>>> confirmation code to the user. Need to provide the key from the >>>>> previous >>>>> call. >>>>> - >>>>> >>>>> getCaptcha() - Generates a captcha when the user clicks on the >>>>> URL. >>>>> - >>>>> >>>>> verifyConfirmationCode() - Validates the captcha answer and >>>>> confirmation code. This returns a key. >>>>> - >>>>> >>>>> updatePassword - Updates the password in the system. Need to >>>>> provide the key from the previous call, new password and returns the >>>>> status >>>>> of the update, true or false. >>>>> >>>>> Recover with Secret Questions[3] >>>>> >>>>> - >>>>> >>>>> getCaptcha() - Generates a captcha. >>>>> - >>>>> >>>>> verifyUser() - Validates the captcha answer and username and >>>>> returns a new key. >>>>> - >>>>> >>>>> getUserChallengeQuestionIds() - Retrieve the claim URI IDs >>>>> specified for the user with the generated key. Need to provide the key >>>>> from >>>>> the previous call. >>>>> - >>>>> >>>>> getUserChallengeQuestion() - Retrieve the user’s challenge >>>>> question for the specified claim URI ID from the previous call. Need to >>>>> provide the key from the previous call. >>>>> - >>>>> >>>>> verifyUserChallengeAnswer() - Validates the answer and >>>>> confirmation code for the specified question. Need to provide the key >>>>> from >>>>> the previous call. >>>>> - >>>>> >>>>> updatePassword() - Updates the password in the system. Need to >>>>> provide the key from the previous call, the new password and return the >>>>> status of the update, i.e. true or false. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> New APIs >>>>> Recover with Notification >>>>> >>>>> - >>>>> >>>>> sendRecoveryNotification() : validate user and returns a new key >>>>> through a notification. >>>>> - >>>>> >>>>> updatePassword() : Updates the password in the system. Need to >>>>> provide the key from notification, new password >>>>> >>>>> >>>>> Recover with Secret Questions >>>>> >>>>> - >>>>> >>>>> intiateUserChallengeQuestion(); validate user and returns a >>>>> question to answer with a secret code >>>>> - >>>>> >>>>> verifyUserChallengeAnswer(); validate secret code and answer for >>>>> the question in previous step. Return a new question with new secret >>>>> until >>>>> minimum number of questions are answered. >>>>> - >>>>> >>>>> updatePassword(); Updates the password in the system. Need to >>>>> provide the key from notification, new password >>>>> >>>>> >>>>> >>>>> New APIs for Multiple Questions at once >>>>> >>>>> - >>>>> >>>>> getAllChallegeQuestions(); validate user and returns all questions >>>>> to answer with a secret code >>>>> - >>>>> >>>>> validateAllChallengeAnswers(); validate code and all answers and >>>>> return a code if success >>>>> - >>>>> >>>>> updatePassword();Updates the password in the system. Need to >>>>> provide the key from notification, new password >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> [1] https://docs.wso2.com/display/IS510/Password+Recovery >>>>> >>>>> [2] >>>>> https://docs.wso2.com/display/IS510/Password+Recovery#PasswordRecovery-Recoveryusingnotifications >>>>> >>>>> [3] >>>>> https://docs.wso2.com/display/IS510/Password+Recovery#PasswordRecovery-Recoveryusingchallengequestions >>>>> >>>>> [4] [Architecture] Decouple capcha validation from Recovery flows >>>>> >>>>> >>>>> >>>>> Sample Requests >>>>> Send Email Notification >>>>> >>>>> POST accountrecovery/rest/notification/notify >>>>> <https://localhost:9443/accountrecovery/rest/notification/notify> >>>>> >>>>> >>>>> Request Body >>>>> >>>>> { >>>>> >>>>> "userName": "testuser", >>>>> >>>>> "tenantDomain": "carbon.super", >>>>> >>>>> "userStoreDomain": "PRIMARY" >>>>> >>>>> } >>>>> >>>>> >>>>> If notifications are internally managed, >>>>> >>>>> Response Body >>>>> >>>>> HTTP 200 >>>>> >>>>> >>>>> If notifications are externally managed, >>>>> >>>>> Response Body >>>>> >>>>> { >>>>> >>>>> "user": { >>>>> >>>>> "userName": "testuser", >>>>> >>>>> "userStoreDomain": "PRIMARY", >>>>> >>>>> "tenantDomain": "carbon.super" >>>>> >>>>> }, >>>>> >>>>> "key": "f75da810-3478-47f4-80e5-c37556392015" >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *Reset Password.* >>>>> >>>>> PUT /accountrecovery/rest/notification/reset_password >>>>> >>>>> Request Body >>>>> >>>>> { >>>>> >>>>> "user": { >>>>> >>>>> "userName": "test", >>>>> >>>>> "userStoreDomain": "PRIMARY", >>>>> >>>>> "tenantDomain": "carbon.super" >>>>> >>>>> }, >>>>> >>>>> "code": "e4d6041b-2ea7-4dc1-9ae2-b8e9686e1d12", >>>>> >>>>> "password": "12345" >>>>> >>>>> } >>>>> >>>>> >>>>> Response Body >>>>> >>>>> HTTP 200 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Initiate User Challenge Question >>>>> >>>>> PUT /accountrecovery/rest/questions/initiate >>>>> >>>>> >>>>> >>>>> Request Body >>>>> >>>>> { >>>>> >>>>> "userName": "admin", >>>>> >>>>> "userStoreDomain": "PRIMARY", >>>>> >>>>> "tenantDomain": "carbon.super" >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> Response body >>>>> >>>>> { >>>>> >>>>> "question": "City where you were born ?", >>>>> >>>>> "questionSetId": "http://wso2.org/claims/challengeQuestion1";, >>>>> >>>>> "code": "786f63b6-d0b7-4bd7-991e-12e97e4602e3", >>>>> >>>>> "status": "INCOMPLETE" >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> >>>>> Validate User Challenge Question, >>>>> >>>>> POST /accountrecovery/security_questions_response >>>>> >>>>> Request Body >>>>> >>>>> { >>>>> >>>>> "user": { >>>>> >>>>> "userName": "admin", >>>>> >>>>> "userStoreDomain": "PRIMARY", >>>>> >>>>> "tenantDomain": "carbon.super" >>>>> >>>>> }, >>>>> >>>>> "key": "12454125-15145-45554155", >>>>> >>>>> "code": "fbc8e9e0-e6fd-4a75-8502-f03e5836930f", >>>>> >>>>> "answer": "colombo" >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> Response body >>>>> >>>>> { >>>>> >>>>> "question": "what is your favourite food ?", >>>>> >>>>> "questionSetId": "http://wso2.org/claims/challengeQuestion2";, >>>>> >>>>> "code": "786f63b6-d0b7-4bd7-991e-12e97e4602e3", >>>>> >>>>> "status": "INCOMPLETE" >>>>> >>>>> } >>>>> >>>>> This should be repeated until status becomes complete. >>>>> >>>>> >>>>> >>>>> Response body >>>>> >>>>> { >>>>> >>>>> “status” : “COMPLETE”, >>>>> >>>>> “key” : "3225d2dd-f5fa-44ca-9aa1-d1c32748b569" >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> Thanks >>>>> Isura >>>>> >>>>> >>>>> -- >>>>> Isura Dilhara Karunaratne >>>>> Senior Software Engineer >>>>> >>>>> Mob +94 772 254 810 >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Isura Dilhara Karunaratne >> Senior Software Engineer >> >> Mob +94 772 254 810 >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Isura Dilhara Karunaratne Senior Software Engineer Mob +94 772 254 810
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
