Hi Vithursa, Few questions:
1. What happens when the user enters a wrong username? As a security best practice, the returned message must not indicate that the username is invalid. Because, a rogue user can determine valid usernames of the system by using this feature (i.e. username harvesting). Therefore, for both valid and invalid usernames, system should show a message similar to "A password reset email has been sent to the registered email address". 2. How are you storing the confirmation codes against the user? Is it as a claim of the user or in the registry? 3. What is the validity of the confirmation code and how you plan to cleanup the expired/used codes? Thanks, Dulanja On Wed, Sep 5, 2018 at 11:02 PM, Vithursa Mahendrarajah <[email protected]> wrote: > [Update] > > Hi all, > > I have implemented UI changes to accommodate password reset feature. > Forgot password option in login page [Img-1], requesting user name for > validating the user [Img-2], redirection page [Img-3] and page to reset > password [Img-4]. > In back end, I have implemented a MSF4J endpoint to validate the entered > user name. Currently, I am implementing REST APIs in carbon-auth to > generate random code (Using secureRandom [1]) and to send notifications > with link to reset password. > > [1] https://docs.oracle.com/javase/7/docs/api/java/ > security/SecureRandom.html > > Thanks, > > On Thu, Aug 23, 2018 at 10:10 AM Ishara Cooray <[email protected]> wrote: > >> +1 to make password-rest as the base path if we are not going to have any >> other apis other than password reset. >> >> since clicking on the url in the e-mail is something that is confirming >> the password reset action I would suggest to change the endpoint as *confirm >> *than notify >> >> /initiate >>> /confirm - endpoint gets called when user clicks on the link, >>> validates the confirmation key >>> / >>> >> >> Hope we can use the same password-reset api for change password request >> as well. >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <[email protected]> >> wrote: >> >>> >>> >>> On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> As per suggestions, I will work on reset password feature. Proposed >>>> flow of implementation for this feature is as follows: >>>> >>>> [image: first_reset.png] [image: second_reset.png] >>>> >>>> We need following APIs to handle reset password request: >>>> /password-reset-initiate - generates a confirmation key >>>> /password-reset-notify - endpoint gets called when user clicks on >>>> the link, validates the confirmation key >>>> /password-reset - end point to reset password, ultimately >>>> calls SCIM API for updating user >>>> >>> If we consider rest best practices then this URL pattern might need to >>> change. password-rest can be a base path and /initiate, /notify etc can be >>> operations perform on service. >>> Also please see URL patterns of other service providers. >>> >>> Thanks, >>> sanjeewa. >>> >>>> >>>> Password-reset-initiate and password-reset endpoints are associated >>>> with client_credentials grant types. We can add separate scopes to these >>>> resources to enhance security. >>>> Here, do we need to have dedicated end-point that can be used to reset >>>> password for users in API store or can we have a common end-point that is >>>> used to reset password like we had in IS. >>>> >>>> Please provide your thoughts and feed back. >>>> >>>> Thanks, >>>> Vithursa >>>> >>>> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Are we planning to implement the account locking feature for 3.0.0 >>>>> release? Since we had this in 2.5/2.2 and this is a feature that we always >>>>> suggest to enable in order to eliminate some of the security threats (ie: >>>>> Password guessing attacks). If we are going to implement 'forgot password' >>>>> feature, its better to consider implementing this as well. WDYT? >>>>> >>>>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: >>>>> >>>>>> I don't think we should decide the priority of the feature based on >>>>>> how easy it is to implement. The priority should be decided based on its >>>>>> importance. To me, someone forgetting a password is far more likely than >>>>>> someone wanting to change it. So I would consider 'Forgot Password' as a >>>>>> must have feature and 'Change Password' as a good to have one. >>>>>> >>>>>> The other reason this thread made me think about the 'Forgot >>>>>> Password' feature is that if we implement that feature, we can address >>>>>> the >>>>>> change password capability through the same feature. We don't have to >>>>>> implement two features to address the two use cases. So, two birds with >>>>>> one >>>>>> stone. Less code, less bugs and less work. >>>>>> >>>>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> +1 to implement change password feature first as it is simpler than >>>>>>> forgot password feature which involves user verification. >>>>>>> Also for the forgot password feature we can either send an email >>>>>>> with a temporary password or redirect to the change password. >>>>>>> Even if we send a temporary password we will need to ask to change >>>>>>> the password. >>>>>>> >>>>>>> Hi Vithursa, >>>>>>> >>>>>>> I would suggest having another required property call *retypeNewPassword >>>>>>> *for new password verification. >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> Ishara Cooray >>>>>>> Senior Software Engineer >>>>>>> Mobile : +9477 262 9512 >>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>>>> >>>>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Forgot password feature should comes with some sort of user >>>>>>>>> verification(enter security question or send email verification, sms >>>>>>>>> verification etc). >>>>>>>>> That feature need to implement with some extensions as all are not >>>>>>>>> using same verification process. >>>>>>>>> So i think we can first complete this and come back to that >>>>>>>>> feature. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> sanjeewa. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> +1. I too think that forgot password option is more important and >>>>>>>>>> it is not yet implemented. I would prefer if we start on that first. >>>>>>>>>> >>>>>>>>>> Thanks & Regards, >>>>>>>>>> Mushthaq >>>>>>>>>> >>>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Do we have a forgot password option on the Store? I would think >>>>>>>>>>> that is more important for an API Store than a change password >>>>>>>>>>> functionality. >>>>>>>>>>> >>>>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>>>> implementation is as follows: >>>>>>>>>>>> >>>>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST >>>>>>>>>>>> API can be implemented to provide the feature to change password by >>>>>>>>>>>> wrapping mentioned SCIM API. The sample resource could be as, >>>>>>>>>>>> >>>>>>>>>>>> PasswordChangeRequest: >>>>>>>>>>>> title: Request for changing password >>>>>>>>>>>> required: >>>>>>>>>>>> - username >>>>>>>>>>>> - currentPassword >>>>>>>>>>>> - newPassword >>>>>>>>>>>> properties: >>>>>>>>>>>> username: >>>>>>>>>>>> type: string >>>>>>>>>>>> currentPassword: >>>>>>>>>>>> type: string >>>>>>>>>>>> newPassword: >>>>>>>>>>>> type: string >>>>>>>>>>>> >>>>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Vithursa >>>>>>>>>>>> -- >>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Nuwan Dias >>>>>>>>>>> >>>>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>>>> email : [email protected] >>>>>>>>>>> Phone : +94 777 775 729 >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Mushthaq Rumy >>>>>>>>>> *Senior Software Engineer* >>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>> Email : [email protected] >>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>> >>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Sanjeewa Malalgoda* >>>>>>>>> WSO2 Inc. >>>>>>>>> Mobile : +94 712933253 >>>>>>>>> >>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nuwan Dias >>>>>> >>>>>> Director - WSO2, Inc. http://wso2.com >>>>>> email : [email protected] >>>>>> Phone : +94 777 775 729 >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thilini Shanika >>>>> Associate Technical Lead >>>>> WSO2, Inc.; http://wso2.com >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> >>>>> E-mail: [email protected] >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Vithursa Mahendrarajah >>>> Software Engineer >>>> WSO2 Inc. - http ://wso2.com >>>> Mobile : +947*66695643* >>>> >>>> >>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>> <http://wso2.com/signature>* >>>> >>> >>> >>> -- >>> *Sanjeewa Malalgoda* >>> WSO2 Inc. >>> Mobile : +94 712933253 >>> >>> <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. >>> blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Vithursa Mahendrarajah > Software Engineer > WSO2 Inc. - http ://wso2.com > Mobile : +947*66695643* <+94%2077%20819%201300> > > > * <http://wso2.com/signature> <http://wso2.com/signature> > <http://wso2.com/signature>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
initiate
Description: Binary data
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
