On Thu, Sep 6, 2018 at 5:30 PM, Vithursa Mahendrarajah <[email protected]> wrote:
> Hi Dulanja, > > Please find my answers in-line: > > On Thu, Sep 6, 2018 at 10:45 AM Dulanja Liyanage <[email protected]> wrote: > >> Hi Vithursa, >> >> Few questions: >> >> 1. What happens when the user enters a wrong username? As a security best >> practice, the returned message must not indicate that the username is >> invalid. Because, a rogue user can determine valid usernames of the system >> by using this feature (i.e. username harvesting). Therefore, for both valid >> and invalid usernames, system should show a message similar to "A password >> reset email has been sent to the registered email address". >> > > As per current implementation, it returns message to indicate that the > user name is invalid. I am agreeing with the point you mentioned, but on > the other hand, it will not give a proper guide in situation like when user > mistakenly enters their user name wrong. I checked this feature in other > accounts as well which indicate whether the user name is valid or not. > Social media and similar sites might prioritize UX over security and opt to inform the user whether the username is valid or not. But we need to consider other organizations, for example financial institutes like banks, who maintain strict security policies that expect to avoid username enumeration. There's a good reason why OWASP has recommendations on username enumeration (Refer "Authentication and Error Messages" in [1]. Also refer this stackexchange discussion at [2]. There are numerous other resources on the web). The ideal solution to this problem of UX vs. security would be to make this behaviour configurable. Have a config that governs the message returned from the API level. If making this configurable is too much hassle, then give priority to security in this case. Because, if we give priority to UX, then in future a customer might request a patch to make the messages generic due to their security policies. I'm telling this because that has already happened in the case of Identity Server. An additional security measure that needs to be in place for password reset is a mechanism to avoid automated bots trying usernames and flooding the system. Since password reset is not a frequent task, user will not get much inconvenienced. Please consider that as well. [1] https://www.owasp.org/index.php/Authentication_Cheat_Sheet [2] https://security.stackexchange.com/questions/98082/forgot-password-and- revealing-whether-account-exists > >> 2. How are you storing the confirmation codes against the user? Is it as >> a claim of the user or in the registry? >> > > I hoped to store it as a claim of user (admin has access to confirmation > code). > > 3. What is the validity of the confirmation code and how you plan to >> cleanup the expired/used codes? >> > > We can define it to be a day and store generated time along with the > code. Regarding the cleanup of used codes, once the user clicks on the > link, gets verified and resets password. we can remove the confirmation > code after successful reset. It won't be valid thereafter. > Regarding the cleanup of expired codes,we do not need to remove expired > codes as there will be one code per user, validating expiry of confirmation > code would be enough. If it is necessary, we can do it by weekly scheduled > task. > > Also, to verify the confirmation code, we can have two options as: > > 1. Send redirect link in mail (we have this in previous version) > 2. Send confirmation code (which user should enter to continue > password reset, like in Facebook) > > Which one would be more feasible to have. Provide your thoughts. > > Thanks, > Vithursa > >> >> Thanks, >> Dulanja >> >> >> On Wed, Sep 5, 2018 at 11:02 PM, Vithursa Mahendrarajah < >> [email protected]> wrote: >> >>> [Update] >>> >>> Hi all, >>> >>> I have implemented UI changes to accommodate password reset feature. >>> Forgot password option in login page [Img-1], requesting user name for >>> validating the user [Img-2], redirection page [Img-3] and page to reset >>> password [Img-4]. >>> In back end, I have implemented a MSF4J endpoint to validate the entered >>> user name. Currently, I am implementing REST APIs in carbon-auth to >>> generate random code (Using secureRandom [1]) and to send notifications >>> with link to reset password. >>> >>> [1] https://docs.oracle.com/javase/7/docs/api/java/security/ >>> SecureRandom.html >>> >>> Thanks, >>> >>> On Thu, Aug 23, 2018 at 10:10 AM Ishara Cooray <[email protected]> wrote: >>> >>>> +1 to make password-rest as the base path if we are not going to have >>>> any other apis other than password reset. >>>> >>>> since clicking on the url in the e-mail is something that is confirming >>>> the password reset action I would suggest to change the endpoint as >>>> *confirm >>>> *than notify >>>> >>>> /initiate >>>>> /confirm - endpoint gets called when user clicks on the link, >>>>> validates the confirmation key >>>>> / >>>>> >>>> >>>> Hope we can use the same password-reset api for change password request >>>> as well. >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <[email protected]> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> As per suggestions, I will work on reset password feature. Proposed >>>>>> flow of implementation for this feature is as follows: >>>>>> >>>>>> [image: first_reset.png] [image: >>>>>> second_reset.png] >>>>>> >>>>>> We need following APIs to handle reset password request: >>>>>> /password-reset-initiate - generates a confirmation key >>>>>> /password-reset-notify - endpoint gets called when user clicks on >>>>>> the link, validates the confirmation key >>>>>> /password-reset - end point to reset password, ultimately >>>>>> calls SCIM API for updating user >>>>>> >>>>> If we consider rest best practices then this URL pattern might need to >>>>> change. password-rest can be a base path and /initiate, /notify etc can be >>>>> operations perform on service. >>>>> Also please see URL patterns of other service providers. >>>>> >>>>> Thanks, >>>>> sanjeewa. >>>>> >>>>>> >>>>>> Password-reset-initiate and password-reset endpoints are associated >>>>>> with client_credentials grant types. We can add separate scopes to these >>>>>> resources to enhance security. >>>>>> Here, do we need to have dedicated end-point that can be used to >>>>>> reset password for users in API store or can we have a common end-point >>>>>> that is used to reset password like we had in IS. >>>>>> >>>>>> Please provide your thoughts and feed back. >>>>>> >>>>>> Thanks, >>>>>> Vithursa >>>>>> >>>>>> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Are we planning to implement the account locking feature for 3.0.0 >>>>>>> release? Since we had this in 2.5/2.2 and this is a feature that we >>>>>>> always >>>>>>> suggest to enable in order to eliminate some of the security threats >>>>>>> (ie: >>>>>>> Password guessing attacks). If we are going to implement 'forgot >>>>>>> password' >>>>>>> feature, its better to consider implementing this as well. WDYT? >>>>>>> >>>>>>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> wrote: >>>>>>> >>>>>>>> I don't think we should decide the priority of the feature based on >>>>>>>> how easy it is to implement. The priority should be decided based on >>>>>>>> its >>>>>>>> importance. To me, someone forgetting a password is far more likely >>>>>>>> than >>>>>>>> someone wanting to change it. So I would consider 'Forgot Password' as >>>>>>>> a >>>>>>>> must have feature and 'Change Password' as a good to have one. >>>>>>>> >>>>>>>> The other reason this thread made me think about the 'Forgot >>>>>>>> Password' feature is that if we implement that feature, we can address >>>>>>>> the >>>>>>>> change password capability through the same feature. We don't have to >>>>>>>> implement two features to address the two use cases. So, two birds >>>>>>>> with one >>>>>>>> stone. Less code, less bugs and less work. >>>>>>>> >>>>>>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> +1 to implement change password feature first as it is simpler >>>>>>>>> than forgot password feature which involves user verification. >>>>>>>>> Also for the forgot password feature we can either send an email >>>>>>>>> with a temporary password or redirect to the change password. >>>>>>>>> Even if we send a temporary password we will need to ask to change >>>>>>>>> the password. >>>>>>>>> >>>>>>>>> Hi Vithursa, >>>>>>>>> >>>>>>>>> I would suggest having another required property call >>>>>>>>> *retypeNewPassword >>>>>>>>> *for new password verification. >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>>>>>> >>>>>>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Forgot password feature should comes with some sort of user >>>>>>>>>>> verification(enter security question or send email verification, sms >>>>>>>>>>> verification etc). >>>>>>>>>>> That feature need to implement with some extensions as all are >>>>>>>>>>> not using same verification process. >>>>>>>>>>> So i think we can first complete this and come back to that >>>>>>>>>>> feature. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> sanjeewa. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> +1. I too think that forgot password option is more important >>>>>>>>>>>> and it is not yet implemented. I would prefer if we start on that >>>>>>>>>>>> first. >>>>>>>>>>>> >>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>> Mushthaq >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Do we have a forgot password option on the Store? I would >>>>>>>>>>>>> think that is more important for an API Store than a change >>>>>>>>>>>>> password >>>>>>>>>>>>> functionality. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>>>>>> implementation is as follows: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST >>>>>>>>>>>>>> API can be implemented to provide the feature to change password >>>>>>>>>>>>>> by >>>>>>>>>>>>>> wrapping mentioned SCIM API. The sample resource could be as, >>>>>>>>>>>>>> >>>>>>>>>>>>>> PasswordChangeRequest: >>>>>>>>>>>>>> title: Request for changing password >>>>>>>>>>>>>> required: >>>>>>>>>>>>>> - username >>>>>>>>>>>>>> - currentPassword >>>>>>>>>>>>>> - newPassword >>>>>>>>>>>>>> properties: >>>>>>>>>>>>>> username: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> currentPassword: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> newPassword: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Nuwan Dias >>>>>>>>>>>>> >>>>>>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>>>>>> email : [email protected] >>>>>>>>>>>>> Phone : +94 777 775 729 >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>> >>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Sanjeewa Malalgoda* >>>>>>>>>>> WSO2 Inc. >>>>>>>>>>> Mobile : +94 712933253 >>>>>>>>>>> >>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Nuwan Dias >>>>>>>> >>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>> email : [email protected] >>>>>>>> Phone : +94 777 775 729 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thilini Shanika >>>>>>> Associate Technical Lead >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>> >>>>>>> E-mail: [email protected] >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Vithursa Mahendrarajah >>>>>> Software Engineer >>>>>> WSO2 Inc. - http ://wso2.com >>>>>> Mobile : +947*66695643* >>>>>> >>>>>> >>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>> <http://wso2.com/signature>* >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Sanjeewa Malalgoda* >>>>> WSO2 Inc. >>>>> Mobile : +94 712933253 >>>>> >>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Vithursa Mahendrarajah >>> Software Engineer >>> WSO2 Inc. - http ://wso2.com >>> Mobile : +947*66695643* <+94%2077%20819%201300> >>> >>> >>> * <http://wso2.com/signature> <http://wso2.com/signature> >>> <http://wso2.com/signature>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Vithursa Mahendrarajah > Software Engineer > WSO2 Inc. - http ://wso2.com > Mobile : +947*66695643* <+94%2077%20819%201300> > > > * <http://wso2.com/signature> <http://wso2.com/signature> > <http://wso2.com/signature>* > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
initiate
Description: Binary data
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
