Hi Vithursa, On Sun, Oct 7, 2018 at 11:29 AM Dulanja Liyanage <[email protected]> wrote:
> On Thu, Sep 6, 2018 at 5:30 PM, Vithursa Mahendrarajah <[email protected]> > wrote: > >> Hi Dulanja, >> >> Please find my answers in-line: >> >> On Thu, Sep 6, 2018 at 10:45 AM Dulanja Liyanage <[email protected]> >> wrote: >> >>> Hi Vithursa, >>> >>> Few questions: >>> >>> 1. What happens when the user enters a wrong username? As a security >>> best practice, the returned message must not indicate that the username is >>> invalid. Because, a rogue user can determine valid usernames of the system >>> by using this feature (i.e. username harvesting). Therefore, for both valid >>> and invalid usernames, system should show a message similar to "A password >>> reset email has been sent to the registered email address". >>> >> >> As per current implementation, it returns message to indicate that the >> user name is invalid. I am agreeing with the point you mentioned, but on >> the other hand, it will not give a proper guide in situation like when user >> mistakenly enters their user name wrong. I checked this feature in other >> accounts as well which indicate whether the user name is valid or not. >> > According to Forrester's CIAM security maturity model as well, this is the recommended behavior for the same reason Dulanja has pointed out. I have sent a mail on this in [1]. See point # 12. I will paste the relevant content here to make it easier. Ignore the color encoding, red are the ones not in IS right now and green are the ones that are there. a) Message displayed to the user should looks like following, and not > reveal if the user was actually found in the system. > "If this email address refers to a valid user, we will send instructions > to the email address on how to recover the password.” Alternatively, you > can show the user a partial view of the email address (i.e.,“a******** > [email protected]”) and ask the user to correctly complete it before allowing > them to proceed. > > b) Having a captcha or a simple arithmetic test before updating the > password. > > c) Sending email and SMS notifications when tasks begin and end. > > Social media and similar sites might prioritize UX over security and opt > to inform the user whether the username is valid or not. But we need to > consider other organizations, for example financial institutes like banks, who > maintain strict security policies that expect to avoid username > enumeration. There's a good reason why OWASP has recommendations on > username enumeration (Refer "Authentication and Error Messages" in [1]. > Also refer this stackexchange discussion at [2]. There are numerous other > resources on the web). > > The ideal solution to this problem of UX vs. security would be to make > this behaviour configurable. Have a config that governs the message > returned from the API level. If making this configurable is too much > hassle, then give priority to security in this case. Because, if we give > priority to UX, then in future a customer might request a patch to make the > messages generic due to their security policies. I'm telling this because > that has already happened in the case of Identity Server. > IMO, we don't even need a property to control this behavior. Any serious business will accept this if we reason it out why we've designed it in this way. The ones who really want to get rid of it are less serious about their business and WSO2 doesn't have many of those ones. Worst case they can customize the UI for themselves. [1] "[IAM] Complying with Forrester’s Customer IAM Security Maturity Assessment Model" in [email protected] Regards, Johann. > > An additional security measure that needs to be in place for password > reset is a mechanism to avoid automated bots trying usernames and flooding > the system. Since password reset is not a frequent task, user will not get > much inconvenienced. Please consider that as well. > > [1] https://www.owasp.org/index.php/Authentication_Cheat_Sheet > [2] > https://security.stackexchange.com/questions/98082/forgot-password-and-revealing-whether-account-exists > >> >>> 2. How are you storing the confirmation codes against the user? Is it as >>> a claim of the user or in the registry? >>> >> >> I hoped to store it as a claim of user (admin has access to confirmation >> code). >> >> 3. What is the validity of the confirmation code and how you plan to >>> cleanup the expired/used codes? >>> >> >> We can define it to be a day and store generated time along with the >> code. Regarding the cleanup of used codes, once the user clicks on the >> link, gets verified and resets password. we can remove the confirmation >> code after successful reset. It won't be valid thereafter. >> Regarding the cleanup of expired codes,we do not need to remove expired >> codes as there will be one code per user, validating expiry of confirmation >> code would be enough. If it is necessary, we can do it by weekly scheduled >> task. >> >> Also, to verify the confirmation code, we can have two options as: >> >> 1. Send redirect link in mail (we have this in previous version) >> 2. Send confirmation code (which user should enter to continue >> password reset, like in Facebook) >> >> Which one would be more feasible to have. Provide your thoughts. >> >> Thanks, >> Vithursa >> >>> >>> Thanks, >>> Dulanja >>> >>> >>> On Wed, Sep 5, 2018 at 11:02 PM, Vithursa Mahendrarajah < >>> [email protected]> wrote: >>> >>>> [Update] >>>> >>>> Hi all, >>>> >>>> I have implemented UI changes to accommodate password reset feature. >>>> Forgot password option in login page [Img-1], requesting user name for >>>> validating the user [Img-2], redirection page [Img-3] and page to reset >>>> password [Img-4]. >>>> In back end, I have implemented a MSF4J endpoint to validate the >>>> entered user name. Currently, I am implementing REST APIs in carbon-auth to >>>> generate random code (Using secureRandom [1]) and to send notifications >>>> with link to reset password. >>>> >>>> [1] >>>> https://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html >>>> >>>> Thanks, >>>> >>>> On Thu, Aug 23, 2018 at 10:10 AM Ishara Cooray <[email protected]> >>>> wrote: >>>> >>>>> +1 to make password-rest as the base path if we are not going to have >>>>> any other apis other than password reset. >>>>> >>>>> since clicking on the url in the e-mail is something that is >>>>> confirming the password reset action I would suggest to change the >>>>> endpoint >>>>> as *confirm *than notify >>>>> >>>>> /initiate >>>>>> /confirm - endpoint gets called when user clicks on the link, >>>>>> validates the confirmation key >>>>>> / >>>>>> >>>>> >>>>> Hope we can use the same password-reset api for change password >>>>> request as well. >>>>> >>>>> >>>>> Thanks & Regards, >>>>> Ishara Cooray >>>>> Senior Software Engineer >>>>> Mobile : +9477 262 9512 >>>>> WSO2, Inc. | http://wso2.com/ >>>>> Lean . Enterprise . Middleware >>>>> >>>>> On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <[email protected] >>>>> > wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> As per suggestions, I will work on reset password feature. Proposed >>>>>>> flow of implementation for this feature is as follows: >>>>>>> >>>>>>> [image: first_reset.png] [image: >>>>>>> second_reset.png] >>>>>>> >>>>>>> We need following APIs to handle reset password request: >>>>>>> /password-reset-initiate - generates a confirmation key >>>>>>> /password-reset-notify - endpoint gets called when user clicks on >>>>>>> the link, validates the confirmation key >>>>>>> /password-reset - end point to reset password, >>>>>>> ultimately calls SCIM API for updating user >>>>>>> >>>>>> If we consider rest best practices then this URL pattern might need >>>>>> to change. password-rest can be a base path and /initiate, /notify etc >>>>>> can >>>>>> be operations perform on service. >>>>>> Also please see URL patterns of other service providers. >>>>>> >>>>>> Thanks, >>>>>> sanjeewa. >>>>>> >>>>>>> >>>>>>> Password-reset-initiate and password-reset endpoints are associated >>>>>>> with client_credentials grant types. We can add separate scopes to these >>>>>>> resources to enhance security. >>>>>>> Here, do we need to have dedicated end-point that can be used to >>>>>>> reset password for users in API store or can we have a common end-point >>>>>>> that is used to reset password like we had in IS. >>>>>>> >>>>>>> Please provide your thoughts and feed back. >>>>>>> >>>>>>> Thanks, >>>>>>> Vithursa >>>>>>> >>>>>>> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Are we planning to implement the account locking feature for 3.0.0 >>>>>>>> release? Since we had this in 2.5/2.2 and this is a feature that we >>>>>>>> always >>>>>>>> suggest to enable in order to eliminate some of the security threats >>>>>>>> (ie: >>>>>>>> Password guessing attacks). If we are going to implement 'forgot >>>>>>>> password' >>>>>>>> feature, its better to consider implementing this as well. WDYT? >>>>>>>> >>>>>>>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I don't think we should decide the priority of the feature based >>>>>>>>> on how easy it is to implement. The priority should be decided based >>>>>>>>> on its >>>>>>>>> importance. To me, someone forgetting a password is far more likely >>>>>>>>> than >>>>>>>>> someone wanting to change it. So I would consider 'Forgot Password' >>>>>>>>> as a >>>>>>>>> must have feature and 'Change Password' as a good to have one. >>>>>>>>> >>>>>>>>> The other reason this thread made me think about the 'Forgot >>>>>>>>> Password' feature is that if we implement that feature, we can >>>>>>>>> address the >>>>>>>>> change password capability through the same feature. We don't have to >>>>>>>>> implement two features to address the two use cases. So, two birds >>>>>>>>> with one >>>>>>>>> stone. Less code, less bugs and less work. >>>>>>>>> >>>>>>>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> +1 to implement change password feature first as it is simpler >>>>>>>>>> than forgot password feature which involves user verification. >>>>>>>>>> Also for the forgot password feature we can either send an email >>>>>>>>>> with a temporary password or redirect to the change password. >>>>>>>>>> Even if we send a temporary password we will need to ask to >>>>>>>>>> change the password. >>>>>>>>>> >>>>>>>>>> Hi Vithursa, >>>>>>>>>> >>>>>>>>>> I would suggest having another required property call >>>>>>>>>> *retypeNewPassword >>>>>>>>>> *for new password verification. >>>>>>>>>> >>>>>>>>>> Thanks & Regards, >>>>>>>>>> Ishara Cooray >>>>>>>>>> Senior Software Engineer >>>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>>>>>>> >>>>>>>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Forgot password feature should comes with some sort of user >>>>>>>>>>>> verification(enter security question or send email verification, >>>>>>>>>>>> sms >>>>>>>>>>>> verification etc). >>>>>>>>>>>> That feature need to implement with some extensions as all are >>>>>>>>>>>> not using same verification process. >>>>>>>>>>>> So i think we can first complete this and come back to that >>>>>>>>>>>> feature. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> sanjeewa. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> +1. I too think that forgot password option is more important >>>>>>>>>>>>> and it is not yet implemented. I would prefer if we start on that >>>>>>>>>>>>> first. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Do we have a forgot password option on the Store? I would >>>>>>>>>>>>>> think that is more important for an API Store than a change >>>>>>>>>>>>>> password >>>>>>>>>>>>>> functionality. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>>>>>>> implementation is as follows: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST >>>>>>>>>>>>>>> API can be implemented to provide the feature to change >>>>>>>>>>>>>>> password by >>>>>>>>>>>>>>> wrapping mentioned SCIM API. The sample resource could be as, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> PasswordChangeRequest: >>>>>>>>>>>>>>> title: Request for changing password >>>>>>>>>>>>>>> required: >>>>>>>>>>>>>>> - username >>>>>>>>>>>>>>> - currentPassword >>>>>>>>>>>>>>> - newPassword >>>>>>>>>>>>>>> properties: >>>>>>>>>>>>>>> username: >>>>>>>>>>>>>>> type: string >>>>>>>>>>>>>>> currentPassword: >>>>>>>>>>>>>>> type: string >>>>>>>>>>>>>>> newPassword: >>>>>>>>>>>>>>> type: string >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Nuwan Dias >>>>>>>>>>>>>> >>>>>>>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>>>>>>> email : [email protected] >>>>>>>>>>>>>> Phone : +94 777 775 729 >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>> >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Sanjeewa Malalgoda* >>>>>>>>>>>> WSO2 Inc. >>>>>>>>>>>> Mobile : +94 712933253 >>>>>>>>>>>> >>>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nuwan Dias >>>>>>>>> >>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>> email : [email protected] >>>>>>>>> Phone : +94 777 775 729 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thilini Shanika >>>>>>>> Associate Technical Lead >>>>>>>> WSO2, Inc.; http://wso2.com >>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>> >>>>>>>> E-mail: [email protected] >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Vithursa Mahendrarajah >>>>>>> Software Engineer >>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>> Mobile : +947*66695643* >>>>>>> >>>>>>> >>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>> <http://wso2.com/signature>* >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Sanjeewa Malalgoda* >>>>>> WSO2 Inc. >>>>>> Mobile : +94 712933253 >>>>>> >>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Vithursa Mahendrarajah >>>> Software Engineer >>>> WSO2 Inc. - http ://wso2.com >>>> Mobile : +947*66695643* <+94%2077%20819%201300> >>>> >>>> >>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>> <http://wso2.com/signature>* >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Dulanja Liyanage >>> Lead, Platform Security Team >>> WSO2 Inc. >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> Vithursa Mahendrarajah >> Software Engineer >> WSO2 Inc. - http ://wso2.com >> Mobile : +947*66695643* <+94%2077%20819%201300> >> >> >> * <http://wso2.com/signature> <http://wso2.com/signature> >> <http://wso2.com/signature>* >> > > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile: *+94 77 7776950* LinkedIn: *http://www.linkedin.com/in/johann-nallathamby <http://www.linkedin.com/in/johann-nallathamby>* Medium: *https://medium.com/@johann_nallathamby <https://medium.com/@johann_nallathamby>* Twitter: *@dj_nallaa*
initiate
Description: Binary data
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
