Hi Isura, On Tue, Dec 10, 2019 at 6:20 PM Isura Karunaratne <[email protected]> wrote:
> Hi Dewni, > > > On Tue, Dec 10, 2019 at 5:50 PM Dewni Weeraman <[email protected]> wrote: > >> Hi all, >> >> Currently, WSO2 Identity Server only supports email account verification >> during the self-registration and user onboarding process. There is no >> feature to trigger the email verification via email notification in a >> scenario where the user’s email address is updated. >> > It would be better if we can generalize the same feature to the other > claims as well. For example, support email verification for first name, > last name updates. > Will this be a verification flow. IMO, this will be just a notification flow, where the user is notified on a channel preferred, or default on the update of sensitive claims, as an additional security measure. I think we need to clearly separate out, (1) verifiable flows, verifiable claims, and (2) notifiable flows and notifiable claims and, each would have separate enforcement points. So, a claim update flow, can either fall into (1) or (2) to generalize that, we need to identify, - whether claim gets updated links with a verifiable flow or a notifiable flow - resolve the verification method or notification method accordingly - trigger verification or notification For (1), we discussed on an architecture previously, but it was still not implemented [1]. So for (2), we laid out the ground with [2], but that's not the subject here. Therefore, as a starting point for (1), I think we can proceed with the proposed approach, supporting it for email claim only and it has the ability to easily integrate with the generalized design later as we have that base. > > Cheers, > Isura. > >> >> > To address this limitation, we will be modifying >> the UserEmailVerificationHandler [1] to trigger the email account >> verification process when "emailaddress" claim has been updated. In order >> to achieve this, the events PRE_SET_USER_CLAIM and POST_SET_USER_CLAIM will >> be subscribed with the UserEmailVerificationHandler. To persist the changed >> email address till account verification happens we wish to introduce a new >> claim called "verificationPendingEmail". Upon email account verification, >> the new email address will be persisted against the "emailaddress" claim. >> >> In a scenario where the user updates the profile with the same email >> address which has already been verified, we have made the decision not to >> trigger an email verification. >> >> Please find attached the draft user stories and solution implementation >> documentation. >> >> [1] >> https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java >> >> >> Kind regards, >> Dewni Weeraman >> >> -- >> Dewni Weeraman | Software Engineer | WSO2 Inc. >> (m) +94 077 2979049 | (e) [email protected] <[email protected]> >> >> <http://wso2.com/signature> >> >> >> > > -- > > *Isura Dilhara Karunaratne* > Technical Lead | WSO2 <http://wso2.com/> > *lean.enterprise.middleware* > Email: [email protected] > Mob : +94 772 254 810 > Blog : https://medium.com/@isurakarunaratne > > > > [1] [IS] Claim verification API [2] Supporting Email or Mobile as the Preferred Communication Channel for Users Thanks, Malithi -- *Malithi Edirisinghe* | Technical Lead | WSO2 Inc. (m) +94 718176807 | (w) +94 11 214 5345 | (e) [email protected] GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
