Hi Sagara,
On Mon, Feb 6, 2017 at 9:27 AM, Sagara Gunathunga <[email protected]> wrote:
>
> 1. We completely get rid of this enable/disable configuration setting.
> 2. Per domain Identity Admin (IM) can configure user name recovery option.
> 3. Default value ( if IM not specified ) should be "Reset through admin".
> 4. Here we generalize "Reset through admin" also as another (but default )
> recovery option.
>
Here we have to consider two levels of configurations.
1. Whether we allow username recovery for the system or not?
- This is a global configuration. Based on this we decide whether we
proceed with username recovery requests or enable/disable
relevant UI /API
entry points for username recovery.
2. What is the notification method that we use to communicate uniquely
identified username to the user.
- This may vary from domain to domain. In some domains users may have
emails configured as contact info, some domains may have phone number as
contact info. Some may not have any contact information at all.
- Based on that we should have the flexibility to notify user.
This is common scenario for all the recovery use scenarios.
- IMHO we should show one valid message for both user not found and
> multiple uses found cases to avoid information leaking, say "Could not
> found unique user name for provided claims, you may try with additional
> claims ".
>
+1
>
> - For immediate release it's perfectly ok if we only support e-mail based
> account recovery but we should have proper architecture with extension
> capabilities so that we can introduce more options without effecting to
> current code.
>
+1
Thanks!
-Ayesha
--
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
20, Palmgrove Avenue, Colombo 3
E-Mail: [email protected] <[email protected]>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
