+1 to make password-rest as the base path if we are not going to have any other apis other than password reset.
since clicking on the url in the e-mail is something that is confirming the password reset action I would suggest to change the endpoint as *confirm *than notify /initiate > /confirm - endpoint gets called when user clicks on the link, validates > the confirmation key > / > Hope we can use the same password-reset api for change password request as well. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <[email protected]> wrote: > > > On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah <[email protected]> > wrote: > >> Hi all, >> >> As per suggestions, I will work on reset password feature. Proposed flow >> of implementation for this feature is as follows: >> >> [image: first_reset.png] [image: second_reset.png] >> >> We need following APIs to handle reset password request: >> /password-reset-initiate - generates a confirmation key >> /password-reset-notify - endpoint gets called when user clicks on the >> link, validates the confirmation key >> /password-reset - end point to reset password, ultimately >> calls SCIM API for updating user >> > If we consider rest best practices then this URL pattern might need to > change. password-rest can be a base path and /initiate, /notify etc can be > operations perform on service. > Also please see URL patterns of other service providers. > > Thanks, > sanjeewa. > >> >> Password-reset-initiate and password-reset endpoints are associated with >> client_credentials grant types. We can add separate scopes to these >> resources to enhance security. >> Here, do we need to have dedicated end-point that can be used to reset >> password for users in API store or can we have a common end-point that is >> used to reset password like we had in IS. >> >> Please provide your thoughts and feed back. >> >> Thanks, >> Vithursa >> >> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> >> wrote: >> >>> Hi All, >>> >>> Are we planning to implement the account locking feature for 3.0.0 >>> release? Since we had this in 2.5/2.2 and this is a feature that we always >>> suggest to enable in order to eliminate some of the security threats (ie: >>> Password guessing attacks). If we are going to implement 'forgot password' >>> feature, its better to consider implementing this as well. WDYT? >>> >>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: >>> >>>> I don't think we should decide the priority of the feature based on how >>>> easy it is to implement. The priority should be decided based on its >>>> importance. To me, someone forgetting a password is far more likely than >>>> someone wanting to change it. So I would consider 'Forgot Password' as a >>>> must have feature and 'Change Password' as a good to have one. >>>> >>>> The other reason this thread made me think about the 'Forgot Password' >>>> feature is that if we implement that feature, we can address the change >>>> password capability through the same feature. We don't have to implement >>>> two features to address the two use cases. So, two birds with one stone. >>>> Less code, less bugs and less work. >>>> >>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> wrote: >>>> >>>>> +1 to implement change password feature first as it is simpler than >>>>> forgot password feature which involves user verification. >>>>> Also for the forgot password feature we can either send an email with >>>>> a temporary password or redirect to the change password. >>>>> Even if we send a temporary password we will need to ask to change the >>>>> password. >>>>> >>>>> Hi Vithursa, >>>>> >>>>> I would suggest having another required property call *retypeNewPassword >>>>> *for new password verification. >>>>> >>>>> Thanks & Regards, >>>>> Ishara Cooray >>>>> Senior Software Engineer >>>>> Mobile : +9477 262 9512 >>>>> WSO2, Inc. | http://wso2.com/ >>>>> Lean . Enterprise . Middleware >>>>> >>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>> [email protected]> wrote: >>>>> >>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>> >>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Forgot password feature should comes with some sort of user >>>>>>> verification(enter security question or send email verification, sms >>>>>>> verification etc). >>>>>>> That feature need to implement with some extensions as all are not >>>>>>> using same verification process. >>>>>>> So i think we can first complete this and come back to that feature. >>>>>>> >>>>>>> Thanks, >>>>>>> sanjeewa. >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> +1. I too think that forgot password option is more important and >>>>>>>> it is not yet implemented. I would prefer if we start on that first. >>>>>>>> >>>>>>>> Thanks & Regards, >>>>>>>> Mushthaq >>>>>>>> >>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Do we have a forgot password option on the Store? I would think >>>>>>>>> that is more important for an API Store than a change password >>>>>>>>> functionality. >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>> implementation is as follows: >>>>>>>>>> >>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST API >>>>>>>>>> can be implemented to provide the feature to change password by >>>>>>>>>> wrapping >>>>>>>>>> mentioned SCIM API. The sample resource could be as, >>>>>>>>>> >>>>>>>>>> PasswordChangeRequest: >>>>>>>>>> title: Request for changing password >>>>>>>>>> required: >>>>>>>>>> - username >>>>>>>>>> - currentPassword >>>>>>>>>> - newPassword >>>>>>>>>> properties: >>>>>>>>>> username: >>>>>>>>>> type: string >>>>>>>>>> currentPassword: >>>>>>>>>> type: string >>>>>>>>>> newPassword: >>>>>>>>>> type: string >>>>>>>>>> >>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Vithursa >>>>>>>>>> -- >>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nuwan Dias >>>>>>>>> >>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>> email : [email protected] >>>>>>>>> Phone : +94 777 775 729 >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Mushthaq Rumy >>>>>>>> *Senior Software Engineer* >>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>> Email : [email protected] >>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>> lean . enterprise . middleware. >>>>>>>> >>>>>>>> <http://wso2.com/signature> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Sanjeewa Malalgoda* >>>>>>> WSO2 Inc. >>>>>>> Mobile : +94 712933253 >>>>>>> >>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Director - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thilini Shanika >>> Associate Technical Lead >>> WSO2, Inc.; http://wso2.com >>> 20, Palmgrove Avenue, Colombo 3 >>> >>> E-mail: [email protected] >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> Vithursa Mahendrarajah >> Software Engineer >> WSO2 Inc. - http ://wso2.com >> Mobile : +947*66695643* >> >> >> * <http://wso2.com/signature> <http://wso2.com/signature> >> <http://wso2.com/signature>* >> > > > -- > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94 712933253 > > <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. > blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
