[Update] Hi all,
I have implemented UI changes to accommodate password reset feature. Forgot password option in login page [Img-1], requesting user name for validating the user [Img-2], redirection page [Img-3] and page to reset password [Img-4]. In back end, I have implemented a MSF4J endpoint to validate the entered user name. Currently, I am implementing REST APIs in carbon-auth to generate random code (Using secureRandom [1]) and to send notifications with link to reset password. [1] https://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html Thanks, On Thu, Aug 23, 2018 at 10:10 AM Ishara Cooray <[email protected]> wrote: > +1 to make password-rest as the base path if we are not going to have any > other apis other than password reset. > > since clicking on the url in the e-mail is something that is confirming > the password reset action I would suggest to change the endpoint as *confirm > *than notify > > /initiate >> /confirm - endpoint gets called when user clicks on the link, >> validates the confirmation key >> / >> > > Hope we can use the same password-reset api for change password request as > well. > > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <[email protected]> > wrote: > >> >> >> On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah <[email protected]> >> wrote: >> >>> Hi all, >>> >>> As per suggestions, I will work on reset password feature. Proposed flow >>> of implementation for this feature is as follows: >>> >>> [image: first_reset.png] [image: second_reset.png] >>> >>> We need following APIs to handle reset password request: >>> /password-reset-initiate - generates a confirmation key >>> /password-reset-notify - endpoint gets called when user clicks on the >>> link, validates the confirmation key >>> /password-reset - end point to reset password, ultimately >>> calls SCIM API for updating user >>> >> If we consider rest best practices then this URL pattern might need to >> change. password-rest can be a base path and /initiate, /notify etc can be >> operations perform on service. >> Also please see URL patterns of other service providers. >> >> Thanks, >> sanjeewa. >> >>> >>> Password-reset-initiate and password-reset endpoints are associated with >>> client_credentials grant types. We can add separate scopes to these >>> resources to enhance security. >>> Here, do we need to have dedicated end-point that can be used to reset >>> password for users in API store or can we have a common end-point that is >>> used to reset password like we had in IS. >>> >>> Please provide your thoughts and feed back. >>> >>> Thanks, >>> Vithursa >>> >>> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> Are we planning to implement the account locking feature for 3.0.0 >>>> release? Since we had this in 2.5/2.2 and this is a feature that we always >>>> suggest to enable in order to eliminate some of the security threats (ie: >>>> Password guessing attacks). If we are going to implement 'forgot password' >>>> feature, its better to consider implementing this as well. WDYT? >>>> >>>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: >>>> >>>>> I don't think we should decide the priority of the feature based on >>>>> how easy it is to implement. The priority should be decided based on its >>>>> importance. To me, someone forgetting a password is far more likely than >>>>> someone wanting to change it. So I would consider 'Forgot Password' as a >>>>> must have feature and 'Change Password' as a good to have one. >>>>> >>>>> The other reason this thread made me think about the 'Forgot Password' >>>>> feature is that if we implement that feature, we can address the change >>>>> password capability through the same feature. We don't have to implement >>>>> two features to address the two use cases. So, two birds with one stone. >>>>> Less code, less bugs and less work. >>>>> >>>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> >>>>> wrote: >>>>> >>>>>> +1 to implement change password feature first as it is simpler than >>>>>> forgot password feature which involves user verification. >>>>>> Also for the forgot password feature we can either send an email with >>>>>> a temporary password or redirect to the change password. >>>>>> Even if we send a temporary password we will need to ask to change >>>>>> the password. >>>>>> >>>>>> Hi Vithursa, >>>>>> >>>>>> I would suggest having another required property call *retypeNewPassword >>>>>> *for new password verification. >>>>>> >>>>>> Thanks & Regards, >>>>>> Ishara Cooray >>>>>> Senior Software Engineer >>>>>> Mobile : +9477 262 9512 >>>>>> WSO2, Inc. | http://wso2.com/ >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>>> >>>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Forgot password feature should comes with some sort of user >>>>>>>> verification(enter security question or send email verification, sms >>>>>>>> verification etc). >>>>>>>> That feature need to implement with some extensions as all are not >>>>>>>> using same verification process. >>>>>>>> So i think we can first complete this and come back to that feature. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> sanjeewa. >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> +1. I too think that forgot password option is more important and >>>>>>>>> it is not yet implemented. I would prefer if we start on that first. >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Mushthaq >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Do we have a forgot password option on the Store? I would think >>>>>>>>>> that is more important for an API Store than a change password >>>>>>>>>> functionality. >>>>>>>>>> >>>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>>> implementation is as follows: >>>>>>>>>>> >>>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST API >>>>>>>>>>> can be implemented to provide the feature to change password by >>>>>>>>>>> wrapping >>>>>>>>>>> mentioned SCIM API. The sample resource could be as, >>>>>>>>>>> >>>>>>>>>>> PasswordChangeRequest: >>>>>>>>>>> title: Request for changing password >>>>>>>>>>> required: >>>>>>>>>>> - username >>>>>>>>>>> - currentPassword >>>>>>>>>>> - newPassword >>>>>>>>>>> properties: >>>>>>>>>>> username: >>>>>>>>>>> type: string >>>>>>>>>>> currentPassword: >>>>>>>>>>> type: string >>>>>>>>>>> newPassword: >>>>>>>>>>> type: string >>>>>>>>>>> >>>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Vithursa >>>>>>>>>>> -- >>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>> Software Engineer >>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Nuwan Dias >>>>>>>>>> >>>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>>> email : [email protected] >>>>>>>>>> Phone : +94 777 775 729 >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Mushthaq Rumy >>>>>>>>> *Senior Software Engineer* >>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>> Email : [email protected] >>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>> lean . enterprise . middleware. >>>>>>>>> >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Sanjeewa Malalgoda* >>>>>>>> WSO2 Inc. >>>>>>>> Mobile : +94 712933253 >>>>>>>> >>>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Director - WSO2, Inc. http://wso2.com >>>>> email : [email protected] >>>>> Phone : +94 777 775 729 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thilini Shanika >>>> Associate Technical Lead >>>> WSO2, Inc.; http://wso2.com >>>> 20, Palmgrove Avenue, Colombo 3 >>>> >>>> E-mail: [email protected] >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Vithursa Mahendrarajah >>> Software Engineer >>> WSO2 Inc. - http ://wso2.com >>> Mobile : +947*66695643* >>> >>> >>> * <http://wso2.com/signature> <http://wso2.com/signature> >>> <http://wso2.com/signature>* >>> >> >> >> -- >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +94 712933253 >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/ >> <http://sanjeewamalalgoda.blogspot.com/> >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Vithursa Mahendrarajah Software Engineer WSO2 Inc. - http ://wso2.com Mobile : +947*66695643* <+94%2077%20819%201300> * <http://wso2.com/signature> <http://wso2.com/signature> <http://wso2.com/signature>*
initiate
Description: Binary data
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
