Hi,
As per the architecture review we came with following use cases and
decisions.
I will refer following yaml representation of configurations that we came
across as a deliverable of the discussion.
###############################################################################
recovery:
password:
enableAPI: true # enable/disable in REST API : Global
enablePortal: true # enable/disable in UserPortal UI : Global
url: "/user-portal/recovery/password" #default page link for password
recovery
securityQuestion:
enableAPI: true # enable/disable in REST API
enablePortal: true # enable/disable in UserPortal UI
notifyStart: false
minAnswers: 2
notificationBased:
emailLink:
enableAPI: true # enable/disable in REST API
enablePortal: true # enable/disable in UserPortal UI
recoveryCode: #not available in M3
enableAPI: true # enable/disable in REST API
enablePortal: true # enable/disable in UserPortal UI
externalLink:
enablePortal: false # enable/disable optional custom recovery
mechanism
url: "https://somewhere.com"; # external link or User Portals custom
page
username:
enableAPI: true
enablePortal: true
url: "/user-portal/recovery/username"
###############################################################################
1. There are two entry points to the recovery features. *User Portal *and
*REST API.*
2. IS-6.0 support two main user recovery types.
- Username recovery : user forgets his accounts username
- Can be globally turn on/off
- Password recovery : User forgets his accounts password
- Can be globally turn on/off
3. Each recovery mechanism provided by default can be turn on/off
selectively from User Portal or REST API.
4. When a system needs to use a external password recovery mechanism
instead of default IS supported methods,
- Change the default *recovery.passsword.url* to a desired location.
This can be an external link or custom page in User Portal app as well.
- Instead of default password recovery page this will redirect to
given custom location.
5. When a system needs to plug an external password recovery
mechanism optional to default IS supported methods,
- set *recovery.passsword.externalLink.enablePortal* to true
- provide desired URL as *recovery.passsword.externalLink.url*. This
can be a custom page in User Portal app as well.
- In the portal app additional option will be visible with a link to
provided url.
6. When a system need to use external username recovery method other
than IS default provided method, system can change
*recovery.username.url* to a desired one.
7. System admins can decide enabling/disabling of recovery method via
notification.
1. Link to recover password (*set: recovery.passsword.*notificationBased)
- Email
2. Recovery Code (*set: recovery.passsword*.recoveryCodeBased )
(Not implemented for M3)
- Email
- SMS
8. Use can also request preferred notification mechanism. Email link
or recovery code.
9. Recovered username information will be sent via users preferred
contact method based on use case. (email, sms)
- If both email/mobile provided, notifications will be sent in all
channels.
Refer: [Architecture Review] [IAM]User Recovery Features in IS-6.0 :by -
[email protected]
Thanks!
-Ayesha
On Mon, Feb 6, 2017 at 10:23 AM, Sagara Gunathunga <[email protected]> wrote:
>
>
> On Mon, Feb 6, 2017 at 10:14 AM, Ayesha Dissanayaka <[email protected]>
> wrote:
>
>> Hi Sagara,
>>
>> On Mon, Feb 6, 2017 at 9:27 AM, Sagara Gunathunga <[email protected]>
>> wrote:
>>
>>>
>>> 1. We completely get rid of this enable/disable configuration setting.
>>> 2. Per domain Identity Admin (IM) can configure user name recovery
>>> option.
>>> 3. Default value ( if IM not specified ) should be "Reset through
>>> admin".
>>> 4. Here we generalize "Reset through admin" also as another (but default
>>> ) recovery option.
>>>
>>
>> Here we have to consider two levels of configurations.
>>
>> 1. Whether we allow username recovery for the system or not?
>> - This is a global configuration. Based on this we decide whether
>> we proceed with username recovery requests or enable/disable relevant
>> UI
>> /API entry points for username recovery.
>>
>> +1 to have this global level setting.
>
>
>>
>> 1. What is the notification method that we use to communicate
>> uniquely identified username to the user.
>> - This may vary from domain to domain. In some domains users may
>> have emails configured as contact info, some domains may have phone
>> number
>> as contact info. Some may not have any contact information at all.
>> - Based on that we should have the flexibility to notify user.
>>
>> This is common scenario for all the recovery use scenarios.
>>
>
> My above suggestion will solve this 2nd part only.
>
> Thanks !
>
>>
>> - IMHO we should show one valid message for both user not found and
>>> multiple uses found cases to avoid information leaking, say "Could not
>>> found unique user name for provided claims, you may try with additional
>>> claims ".
>>>
>> +1
>>
>>>
>>> - For immediate release it's perfectly ok if we only support e-mail
>>> based account recovery but we should have proper architecture with
>>> extension capabilities so that we can introduce more options without
>>> effecting to current code.
>>>
>> +1
>>
>> Thanks!
>> -Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: [email protected] <[email protected]>
>>
>
>
>
> --
> Sagara Gunathunga
>
> Associate Director / Architect; WSO2, Inc.; http://wso2.com
> V.P Apache Web Services; http://ws.apache.org/
> Linkedin; http://www.linkedin.com/in/ssagara
> Blog ; http://ssagara.blogspot.com
>
>
--
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
20, Palmgrove Avenue, Colombo 3
E-Mail: [email protected] <[email protected]>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
