Hi all, As per suggestions, I will work on reset password feature. Proposed flow of implementation for this feature is as follows:
[image: first_reset.png] [image: second_reset.png] We need following APIs to handle reset password request: /password-reset-initiate - generates a confirmation key /password-reset-notify - endpoint gets called when user clicks on the link, validates the confirmation key /password-reset - end point to reset password, ultimately calls SCIM API for updating user Password-reset-initiate and password-reset endpoints are associated with client_credentials grant types. We can add separate scopes to these resources to enhance security. Here, do we need to have dedicated end-point that can be used to reset password for users in API store or can we have a common end-point that is used to reset password like we had in IS. Please provide your thoughts and feed back. Thanks, Vithursa On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> wrote: > Hi All, > > Are we planning to implement the account locking feature for 3.0.0 > release? Since we had this in 2.5/2.2 and this is a feature that we always > suggest to enable in order to eliminate some of the security threats (ie: > Password guessing attacks). If we are going to implement 'forgot password' > feature, its better to consider implementing this as well. WDYT? > > On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: > >> I don't think we should decide the priority of the feature based on how >> easy it is to implement. The priority should be decided based on its >> importance. To me, someone forgetting a password is far more likely than >> someone wanting to change it. So I would consider 'Forgot Password' as a >> must have feature and 'Change Password' as a good to have one. >> >> The other reason this thread made me think about the 'Forgot Password' >> feature is that if we implement that feature, we can address the change >> password capability through the same feature. We don't have to implement >> two features to address the two use cases. So, two birds with one stone. >> Less code, less bugs and less work. >> >> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> wrote: >> >>> +1 to implement change password feature first as it is simpler than >>> forgot password feature which involves user verification. >>> Also for the forgot password feature we can either send an email with a >>> temporary password or redirect to the change password. >>> Even if we send a temporary password we will need to ask to change the >>> password. >>> >>> Hi Vithursa, >>> >>> I would suggest having another required property call *retypeNewPassword >>> *for new password verification. >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena <[email protected]> >>> wrote: >>> >>>> Do we have any send an email to user feature in apim 3 road map ? >>>> >>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda <[email protected]> >>>> wrote: >>>> >>>>> Forgot password feature should comes with some sort of user >>>>> verification(enter security question or send email verification, sms >>>>> verification etc). >>>>> That feature need to implement with some extensions as all are not >>>>> using same verification process. >>>>> So i think we can first complete this and come back to that feature. >>>>> >>>>> Thanks, >>>>> sanjeewa. >>>>> >>>>> >>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy <[email protected]> >>>>> wrote: >>>>> >>>>>> +1. I too think that forgot password option is more important and it >>>>>> is not yet implemented. I would prefer if we start on that first. >>>>>> >>>>>> Thanks & Regards, >>>>>> Mushthaq >>>>>> >>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> wrote: >>>>>> >>>>>>> Do we have a forgot password option on the Store? I would think that >>>>>>> is more important for an API Store than a change password functionality. >>>>>>> >>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>> implementation is as follows: >>>>>>>> >>>>>>>> [image: new_password_mail.png] >>>>>>>> We have SCIM API [1] for updating user-info. A separate REST API >>>>>>>> can be implemented to provide the feature to change password by >>>>>>>> wrapping >>>>>>>> mentioned SCIM API. The sample resource could be as, >>>>>>>> >>>>>>>> PasswordChangeRequest: >>>>>>>> title: Request for changing password >>>>>>>> required: >>>>>>>> - username >>>>>>>> - currentPassword >>>>>>>> - newPassword >>>>>>>> properties: >>>>>>>> username: >>>>>>>> type: string >>>>>>>> currentPassword: >>>>>>>> type: string >>>>>>>> newPassword: >>>>>>>> type: string >>>>>>>> >>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Vithursa >>>>>>>> -- >>>>>>>> Vithursa Mahendrarajah >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>> Mobile : +947*66695643* >>>>>>>> >>>>>>>> >>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>> <http://wso2.com/signature>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>> email : [email protected] >>>>>>> Phone : +94 777 775 729 >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Mushthaq Rumy >>>>>> *Senior Software Engineer* >>>>>> Mobile : +94 (0) 779 492140 >>>>>> Email : [email protected] >>>>>> WSO2, Inc.; http://wso2.com/ >>>>>> lean . enterprise . middleware. >>>>>> >>>>>> <http://wso2.com/signature> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Sanjeewa Malalgoda* >>>>> WSO2 Inc. >>>>> Mobile : +94 712933253 >>>>> >>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> Nuwan Dias >> >> Director - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thilini Shanika > Associate Technical Lead > WSO2, Inc.; http://wso2.com > 20, Palmgrove Avenue, Colombo 3 > > E-mail: [email protected] > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Vithursa Mahendrarajah Software Engineer WSO2 Inc. - http ://wso2.com Mobile : +947*66695643* <javascript:void(0);> * <http://wso2.com/signature> <http://wso2.com/signature> <http://wso2.com/signature>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
