Hi all,
We are working on implementing account lock/disable features for IS 6.0.0. *Account Lock: * - User *must not *be able to login to the system. - Admin user *can* update the user attributes and assign roles (account is active) - User cannot start a password recovery flow. *Account Disable: * - User *must not* be able to login to the system. - Admin user *can not* update the user attributes and cannot assign roles until enabling the account. (inactive state) - User cannot start a password recovery flow. *When will the account be locked?* - Self Signup users until account confirmation - Try to login with invalid credentials more than configured number of attempts. Then the account will be locked configured amount of time. (Like 5 minutes). This lock time will be increased if the user locked again based on a configuration. - Provide invalid answers more than configured number of attempts, when password recovery - User onboarding with Email/SMS verification flow. - When admin needs to block the user to login to the system - When admin initiated password reset flow starts. *When will the account be disabled?* - When admin needs to inactivate user. What is the best way handle account disable check? We can do this from a inceptor level, then we need to check account disable in each operation. Thanks Isura. *Isura Dilhara Karunaratne* Senior Software Engineer | WSO2 Email: [email protected] Mob : +94 772 254 810 <+94%2077%20225%204810> Blog : http://isurad.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
