On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah <[email protected]> wrote:
> Hi all, > > As per suggestions, I will work on reset password feature. Proposed flow > of implementation for this feature is as follows: > > [image: first_reset.png] [image: second_reset.png] > > We need following APIs to handle reset password request: > /password-reset-initiate - generates a confirmation key > /password-reset-notify - endpoint gets called when user clicks on the > link, validates the confirmation key > /password-reset - end point to reset password, ultimately > calls SCIM API for updating user > If we consider rest best practices then this URL pattern might need to change. password-rest can be a base path and /initiate, /notify etc can be operations perform on service. Also please see URL patterns of other service providers. Thanks, sanjeewa. > > Password-reset-initiate and password-reset endpoints are associated with > client_credentials grant types. We can add separate scopes to these > resources to enhance security. > Here, do we need to have dedicated end-point that can be used to reset > password for users in API store or can we have a common end-point that is > used to reset password like we had in IS. > > Please provide your thoughts and feed back. > > Thanks, > Vithursa > > On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> > wrote: > >> Hi All, >> >> Are we planning to implement the account locking feature for 3.0.0 >> release? Since we had this in 2.5/2.2 and this is a feature that we always >> suggest to enable in order to eliminate some of the security threats (ie: >> Password guessing attacks). If we are going to implement 'forgot password' >> feature, its better to consider implementing this as well. WDYT? >> >> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: >> >>> I don't think we should decide the priority of the feature based on how >>> easy it is to implement. The priority should be decided based on its >>> importance. To me, someone forgetting a password is far more likely than >>> someone wanting to change it. So I would consider 'Forgot Password' as a >>> must have feature and 'Change Password' as a good to have one. >>> >>> The other reason this thread made me think about the 'Forgot Password' >>> feature is that if we implement that feature, we can address the change >>> password capability through the same feature. We don't have to implement >>> two features to address the two use cases. So, two birds with one stone. >>> Less code, less bugs and less work. >>> >>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> wrote: >>> >>>> +1 to implement change password feature first as it is simpler than >>>> forgot password feature which involves user verification. >>>> Also for the forgot password feature we can either send an email with a >>>> temporary password or redirect to the change password. >>>> Even if we send a temporary password we will need to ask to change the >>>> password. >>>> >>>> Hi Vithursa, >>>> >>>> I would suggest having another required property call *retypeNewPassword >>>> *for new password verification. >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena <[email protected] >>>> > wrote: >>>> >>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>> >>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda <[email protected]> >>>>> wrote: >>>>> >>>>>> Forgot password feature should comes with some sort of user >>>>>> verification(enter security question or send email verification, sms >>>>>> verification etc). >>>>>> That feature need to implement with some extensions as all are not >>>>>> using same verification process. >>>>>> So i think we can first complete this and come back to that feature. >>>>>> >>>>>> Thanks, >>>>>> sanjeewa. >>>>>> >>>>>> >>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> +1. I too think that forgot password option is more important and it >>>>>>> is not yet implemented. I would prefer if we start on that first. >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> Mushthaq >>>>>>> >>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> wrote: >>>>>>> >>>>>>>> Do we have a forgot password option on the Store? I would think >>>>>>>> that is more important for an API Store than a change password >>>>>>>> functionality. >>>>>>>> >>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>> implementation is as follows: >>>>>>>>> >>>>>>>>> [image: new_password_mail.png] >>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST API >>>>>>>>> can be implemented to provide the feature to change password by >>>>>>>>> wrapping >>>>>>>>> mentioned SCIM API. The sample resource could be as, >>>>>>>>> >>>>>>>>> PasswordChangeRequest: >>>>>>>>> title: Request for changing password >>>>>>>>> required: >>>>>>>>> - username >>>>>>>>> - currentPassword >>>>>>>>> - newPassword >>>>>>>>> properties: >>>>>>>>> username: >>>>>>>>> type: string >>>>>>>>> currentPassword: >>>>>>>>> type: string >>>>>>>>> newPassword: >>>>>>>>> type: string >>>>>>>>> >>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Vithursa >>>>>>>>> -- >>>>>>>>> Vithursa Mahendrarajah >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>> Mobile : +947*66695643* >>>>>>>>> >>>>>>>>> >>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>> <http://wso2.com/signature>* >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Nuwan Dias >>>>>>>> >>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>> email : [email protected] >>>>>>>> Phone : +94 777 775 729 >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Mushthaq Rumy >>>>>>> *Senior Software Engineer* >>>>>>> Mobile : +94 (0) 779 492140 >>>>>>> Email : [email protected] >>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>> lean . enterprise . middleware. >>>>>>> >>>>>>> <http://wso2.com/signature> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Sanjeewa Malalgoda* >>>>>> WSO2 Inc. >>>>>> Mobile : +94 712933253 >>>>>> >>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Director - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thilini Shanika >> Associate Technical Lead >> WSO2, Inc.; http://wso2.com >> 20, Palmgrove Avenue, Colombo 3 >> >> E-mail: [email protected] >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Vithursa Mahendrarajah > Software Engineer > WSO2 Inc. - http ://wso2.com > Mobile : +947*66695643* > > > * <http://wso2.com/signature> <http://wso2.com/signature> > <http://wso2.com/signature>* > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94 712933253 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
