Hi Ishara, On Fri, Jan 20, 2017 at 10:18 PM, Ishara Karunarathna <[email protected]> wrote:
> Hi > > On Fri, Jan 20, 2017 at 4:28 PM, Rushmin Fernando <[email protected]> > wrote: > >> Isura, as per my understanding, in most of the cases 'inactive' user are >> treated as non-existing users. >> >> So from the domain model side we should have a method to ..... >> >> get the active users (since this the default case, we can even name >> the method as getUsers() ) >> >> and another method to .... >> >> get the user including inactive users >> > +1 for this. Ideally in all user operation we can filter out the inactive > users. > Ex in JDBC user stores we may accound_inactive claim in LDAP we can filter > out with UserAccountControl attribute. > >> >> When it comes to operations, we anyway have to have an interceptor in the >> authentication flow to refuse locked users (inative users will no even be >> considered) >> >> One down side is performance. If we check this before in authentication > it will reduce the performance. > so if the user store (Identity store ) support for account locking better > to use that implementation. if not we have to explicitly check the > account lock property. > I don't have much knowledge on the implementation. So please bear with me if I'm suggesting an unrealistic solution. As per my undrestanding .... 1) isLocked is a property of the user model. 2) So when we call autheticate(), the method implementation can do this validation without a overhead. 3) Even if we assume that there is some overhead, IMO it's still worth doing this in this level since authenticate() call is being called that frequently On another note, if admin is allowed to lock the user, then we should think about the implementation of terminating the session of an already singed in user, in a distributed deployment. > > -Ishara > > >> >> >> On Fri, Jan 20, 2017 at 3:32 PM, Isura Karunaratne <[email protected]> >> wrote: >> >>> Hi all, >>> >>> >>> We are working on implementing account lock/disable features for IS >>> 6.0.0. >>> >>> *Account Lock: * >>> >>> - User *must not *be able to login to the system. >>> - Admin user *can* update the user attributes and assign roles >>> (account is active) >>> - User cannot start a password recovery flow. >>> >>> *Account Disable: * >>> >>> - User *must not* be able to login to the system. >>> - Admin user *can not* update the user attributes and cannot assign >>> roles until enabling the account. (inactive state) >>> - User cannot start a password recovery flow. >>> >>> >>> >>> *When will the account be locked?* >>> >>> >>> >>> - Self Signup users until account confirmation >>> - Try to login with invalid credentials more than configured number >>> of attempts. Then the account will be locked configured amount of time. >>> (Like 5 minutes). This lock time will be increased if the user locked >>> again >>> based on a configuration. >>> - Provide invalid answers more than configured number of attempts, >>> when password recovery >>> - User onboarding with Email/SMS verification flow. >>> - When admin needs to block the user to login to the system >>> - When admin initiated password reset flow starts. >>> >>> >>> >>> *When will the account be disabled?* >>> >>> >>> >>> >>> >>> - When admin needs to inactivate user. >>> >>> >>> >>> What is the best way handle account disable check? We can do this from a >>> inceptor level, then we need to check account disable in each operation. >>> >>> Thanks >>> Isura. >>> >>> >>> >>> >>> >>> *Isura Dilhara Karunaratne* >>> Senior Software Engineer | WSO2 >>> Email: [email protected] >>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>> Blog : http://isurad.blogspot.com/ >>> >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94775615183 >> >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
