Hi, We are planning to expose recovery APIS in IS 5.3.0 as rest APIS. And also, we are trying to reduce the complexity and improve the performance in existing recovery java APIs as well.
Currently, we have two ways of password recovery methods, - Recover with a notification - Recover with secret questions. *Recover with a notification* It is required to go through following sequences to recover password using an email in existing APIs *getCaptcha*() - Generates a captcha. *verifyUser*() - Validates the captcha answer and username and returns a new key. *sendRecoveryNotification*() - Send an email notification with a confirmation code to the user. Need to provide the key from the previous call. *getCaptcha*() - Generates a captcha when the user clicks on the URL. *verifyConfirmationCode*() - Validates the captcha answer and confirmation code. This returns a key. *updatePassword* - Updates the password in the system. Need to provide the key from the previous call, new password and returns the status of the update, true or false. *Recover with Secret Questions* It is required to go through following sequences to recover password using a secret quesitons in existing APIs *getCaptcha*() - Generates a captcha. *verifyUser*() - Validates the captcha answer and username and returns a new key. *getUserChallengeQuestionIds*() - Retrieve the cliam URI IDs specified for the user with the generated key. Need to provide the key from the previous call. *getUserChallengeQuestion*() - Retrieve the user’s challenge question for the specified claim URI ID from the previous call. Need to provide the key from the previous call. *verifyUserChallengeAnswer*() - Validates the answer and confirmation code for the specified question. Need to provide the key from the previous call. *updatePassword*() - Updates the password in the system. Need to provide the key from the previous call, the new password and return the status of the update, i.e. true or false. Currenlty, we are using kaptcha as the captcha generation engine and in IS5.3.0 we are planning to support reCaptcha[1] instead of kapcha. In both of above recovery scenarios, If we manage captcha validation internally, captcha validation is tightly coupled with the recovery sequences. In 5.3.0, We are planning to decouple the captcha validation with recovery APIs. So, captcha validation should be done by the application. WDYT? Thanks Isura [1] https://www.google.com/recaptcha/intro/index.html -- Isura Dilhara Karunaratne Senior Software Engineer Mob +94 772 254 810
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
