On Mon, May 16, 2016 at 10:25 AM, Isura Karunaratne <[email protected]> wrote:
> Hi, > > We are planning to expose recovery APIS in IS 5.3.0 as rest APIS. And > also, we are trying to reduce the complexity and improve the performance in > existing recovery java APIs as well. > > Currently, we have two ways of password recovery methods, > > > - Recover with a notification > - Recover with secret questions. > > *Recover with a notification* > > It is required to go through following sequences to recover password using > an email in existing APIs > > *getCaptcha*() - Generates a captcha. > *verifyUser*() - Validates the captcha answer and username and returns a > new key. > *sendRecoveryNotification*() - Send an email notification with a > confirmation code to the user. Need to provide the key from the previous > call. > *getCaptcha*() - Generates a captcha when the user clicks on the URL. > *verifyConfirmationCode*() - Validates the captcha answer and > confirmation code. This returns a key. > *updatePassword* - Updates the password in the system. Need to provide > the key from the previous call, new password and returns the status of the > update, true or false. > > > > *Recover with Secret Questions* > > It is required to go through following sequences to recover password using > a secret quesitons in existing APIs > > *getCaptcha*() - Generates a captcha. > *verifyUser*() - Validates the captcha answer and username and returns a > new key. > *getUserChallengeQuestionIds*() - Retrieve the cliam URI IDs specified > for the user with the generated key. Need to provide the key from the > previous call. > *getUserChallengeQuestion*() - Retrieve the user’s challenge question > for the specified claim URI ID from the previous call. Need to provide the > key from the previous call. > *verifyUserChallengeAnswer*() - Validates the answer and confirmation > code for the specified question. Need to provide the key from the previous > call. > *updatePassword*() - Updates the password in the system. Need to provide > the key from the previous call, the new password and return the status of > the update, i.e. true or false. > > > > > Currenlty, we are using kaptcha as the captcha generation engine and in > IS5.3.0 we are planning to support reCaptcha[1] instead of kapcha. > > In both of above recovery scenarios, > > If we manage captcha validation internally, captcha validation is tightly > coupled with the recovery sequences. In 5.3.0, We are planning to decouple > the captcha validation with recovery APIs. > So, captcha validation should be done by the application. > In IS 5.3.0 by application I guess you also mean the account recovery webapp which will be shipped with IS for OOTB account recovery. So basically the captcha validation would happen between the user recovery webapp and the re-captcha service instead of coming to our backend service APIs. Right ? > WDYT? > > > Thanks > Isura > > > > [1] https://www.google.com/recaptcha/intro/index.html > -- > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
