Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
On 06/20/2012 06:46 PM, Endi Sukma Dewata wrote: ACK, but feel free to make additional minor changes as suggested below before push. Pushed to master. I added some of the minor changes (patch attached for completeness). On 6/19/2012 9:01 AM, Petr Vobornik wrote: In general I like simplifying the dialog so I took most of your suggestions and implemented them following way: Login - Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. To login with username and password: Username: [edewata ] Password: [ ] [Login] So I just changed the order and kept only one button. If username and password are filled it uses form-based auth otherwise it uses kerberos auth. I'm not sure if it is straightforward but it is easy to use. The layout looks good. I think to avoid confusion the text should mention what needs to be done in each login option, something like this: To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Used both. Another thing, when I fill in the username a red star (required marker) appears next to the password field, and disappears when I remove the username. I don't think we need to display it because it's pretty clear from the text that either you don't fill in anything or you fill in both fields. Less surprises is better, but I'll let you decide. IMO it doesn't do any damage. It also enables required-validation so 'required field' message is displayed when user forgets to enter password. I left it there. I followed all suggestion in the reset part. I have to place to the forms error box. I'm not sure about the position though. Updated patch attached. I think this is fine. Another option is to show the error box between the fields and the buttons, this way the content don't shift too much when the error appears. Same thing for the login page. Left it unchanged. In the Reset page if you click Cancel it goes back to the Login page, but the username & password are still showing the old values. I think the username_widget and password_widget should be cleared as well. What do you think? Done. One more thing, this dialog has an X button at the top right corner so people can close it. If it's closed it will show a blank page without a way to open it again. Maybe it should go to the unauthorized.html? This can be fixed separately. I want to fix the X button separately. Probably we don't handle it well in other dialogs too. -- Petr Vobornik From 75f348c4452acb34379f2e6aff52726f616b9b94 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Fri, 8 Jun 2012 15:02:25 +0200 Subject: [PATCH] Added password reset capabilities to unauthorized dialog Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 --- install/ui/ipa.js | 408 +++- install/ui/test/data/ipa_init.json | 10 +- ipalib/plugins/internal.py | 10 +- 3 files changed, 319 insertions(+), 109 deletions(-) diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 648fcfc31e1f017aeecd597189b5d4a9789194ae..6e8620982dc8acf0ffa1c7dee30a07bf0c9cca1b 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -4,6 +4,7 @@ *Adam Young *Endi Dewata *John Dennis + *Petr Vobornik * * Copyright (C) 2010 Red Hat * see file 'COPYING' for use and warranty information @@ -402,6 +403,62 @@ IPA.login_password = function(username, password) { return result; }; +IPA.reset_password = function(username, old_password, new_password) { + +//possible results: 'ok', 'invalid-password', 'policy-error' + +var status, result, reason, invalid, failure, data, request; + +status = 'invalid'; +result = { +status: status, +message: IPA.get_message('password.reset_failure', +"Password reset was not successful.") +}; + +function success_handler(data, te
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
ACK, but feel free to make additional minor changes as suggested below before push. On 6/19/2012 9:01 AM, Petr Vobornik wrote: In general I like simplifying the dialog so I took most of your suggestions and implemented them following way: Login - Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. To login with username and password: Username: [edewata ] Password: [ ] [Login] So I just changed the order and kept only one button. If username and password are filled it uses form-based auth otherwise it uses kerberos auth. I'm not sure if it is straightforward but it is easy to use. The layout looks good. I think to avoid confusion the text should mention what needs to be done in each login option, something like this: To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Another thing, when I fill in the username a red star (required marker) appears next to the password field, and disappears when I remove the username. I don't think we need to display it because it's pretty clear from the text that either you don't fill in anything or you fill in both fields. Less surprises is better, but I'll let you decide. I followed all suggestion in the reset part. I have to place to the forms error box. I'm not sure about the position though. Updated patch attached. I think this is fine. Another option is to show the error box between the fields and the buttons, this way the content don't shift too much when the error appears. Same thing for the login page. In the Reset page if you click Cancel it goes back to the Login page, but the username & password are still showing the old values. I think the username_widget and password_widget should be cleared as well. What do you think? One more thing, this dialog has an X button at the top right corner so people can close it. If it's closed it will show a blank page without a way to open it again. Maybe it should go to the unauthorized.html? This can be fixed separately. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
In general I like simplifying the dialog so I took most of your suggestions and implemented them following way: Login - Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. To login with username and password: Username:[edewata ] Password:[ ] [Login] So I just changed the order and kept only one button. If username and password are filled it uses form-based auth otherwise it uses kerberos auth. I'm not sure if it is straightforward but it is easy to use. I followed all suggestion in the reset part. I have to place to the forms error box. I'm not sure about the position though. Updated patch attached. On 06/13/2012 07:18 PM, Endi Sukma Dewata wrote: On 6/13/2012 8:15 AM, Petr Vobornik wrote: I'll address all issues once we decide on the solution. 1. If you click 'form-based authentication the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog. Agree 2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this: Login - Your session has expired. Please re-login. To login with username and password: Username: [edewata ] Password: [ ] [Login] To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. [Login with Kerberos] The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into: I like the idea but I'm not sure about the layout. Having one button inside the dialog seems strange a also it will probably look weird. You mean two buttons (Login & Login with Kerberos)? I agree it's kinda strange. Collapsible sections are worse because you have to click on them so it slow things down. That's also true. I'll leave this up to you. The current workflow still makes sense if we consider form-based authentication a less preferred method, so you'd have to go to another page to login with username & password. Current implementation has 'forms-based authentication' link selected so user can in most cases hit enter and immediately write username, password and complete login procedure only by using keyboard. Hmm... that's not very obvious though. I wouldn't have known that until you told me :) I think intuitively people will think that if you hit enter it will click the default button in the dialog, unless there's input text field. Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). So current button: 'retry' is more appropriate. What I meant was 'Login with Kerberos mechanism' or 'Login with Kerberos ticket', but it might be too long. I assume people in general isn't going to be confused by that because the text also mentions that you'd have to get the ticket from kinit. My concern with 'Retry' is that if you open the UI for the first time and you haven't done kinit yet, you'll see a message saying your Kerberos ticket has expired and asking you to Retry. This is not quite accurate because you never had a ticket before. The 'expired ticket' and 'retry' message might make more sense if you already had the UI open but left it for a while and come back to continue. If you just open the UI for the first time I think the message should only tell you what you need to do to login, not what went wrong in the past. I'll leave this up to you too. We might be able to keep the current workflow, but display different message depending whether it's your first visit or return visit. Login - Your password has expired. Please enter a new password: Username: edewata New Password: [ ] Verify Password: [ ] [Reset Password and Login] [Cancel] In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page. Little change, but can be probably more straightforward - will do. If you keep the original workflow, the Cancel button probably should bring you to the first page (expired ticket), not to the second page (login) because if your password has expired you can't login without reset anyway. 2a. The dialog uses headers in title (the one from #1) and a headers inside (login, reset password). From your exam
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
On 6/13/2012 8:15 AM, Petr Vobornik wrote: I'll address all issues once we decide on the solution. 1. If you click 'form-based authentication the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog. Agree 2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this: Login - Your session has expired. Please re-login. To login with username and password: Username: [edewata ] Password: [ ] [Login] To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. [Login with Kerberos] The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into: I like the idea but I'm not sure about the layout. Having one button inside the dialog seems strange a also it will probably look weird. You mean two buttons (Login & Login with Kerberos)? I agree it's kinda strange. Collapsible sections are worse because you have to click on them so it slow things down. That's also true. I'll leave this up to you. The current workflow still makes sense if we consider form-based authentication a less preferred method, so you'd have to go to another page to login with username & password. Current implementation has 'forms-based authentication' link selected so user can in most cases hit enter and immediately write username, password and complete login procedure only by using keyboard. Hmm... that's not very obvious though. I wouldn't have known that until you told me :) I think intuitively people will think that if you hit enter it will click the default button in the dialog, unless there's input text field. Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). So current button: 'retry' is more appropriate. What I meant was 'Login with Kerberos mechanism' or 'Login with Kerberos ticket', but it might be too long. I assume people in general isn't going to be confused by that because the text also mentions that you'd have to get the ticket from kinit. My concern with 'Retry' is that if you open the UI for the first time and you haven't done kinit yet, you'll see a message saying your Kerberos ticket has expired and asking you to Retry. This is not quite accurate because you never had a ticket before. The 'expired ticket' and 'retry' message might make more sense if you already had the UI open but left it for a while and come back to continue. If you just open the UI for the first time I think the message should only tell you what you need to do to login, not what went wrong in the past. I'll leave this up to you too. We might be able to keep the current workflow, but display different message depending whether it's your first visit or return visit. Login - Your password has expired. Please enter a new password: Username: edewata New Password: [ ] Verify Password: [ ] [Reset Password and Login] [Cancel] In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page. Little change, but can be probably more straightforward - will do. If you keep the original workflow, the Cancel button probably should bring you to the first page (expired ticket), not to the second page (login) because if your password has expired you can't login without reset anyway. 2a. The dialog uses headers in title (the one from #1) and a headers inside (login, reset password). From your examples I'm not sure if you would like to: a) remove the inside headers b) change them to 'login' everywhere c) keep them unchanged I think the inside header is not necessary, it's a duplicate of the dialog title. This reset password operation is still part of login operation because if you cancel reset you still aren't logged in yet. 3. I noticed that the password is kept in memory too long by the login dialog so if you go back and forth between the pages the fields are already populated. This might be a security risk. I think the username & password should be cleaned up when you click Back/Cancel. Agree Also when you complete the login process, it should be cleaned up as well. 4. Is there a plan to provide password reset via email? I don't think so. I'm not sure if it is even useful for Freeipa. One of main purposes for Freeipa is SSO and I guess company mail would be kerberized too. So if you forget the password, you can't login, reset and eve
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
I'll address all issues once we decide on the solution. On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote: On 6/8/2012 10:52 AM, Petr Vobornik wrote: and now the patch... On 06/08/2012 05:51 PM, Petr Vobornik wrote: For those of you who are only interest in user perspective I prepared a set of screenshots to demonstrate workflow of password reset: http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png Patch depends on mkosek #274. Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 It works with mkosek 274-2. Some comments: 1. If you click 'form-based authentication the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog. Agree 2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this: Login - Your session has expired. Please re-login. To login with username and password: Username: [edewata ] Password: [ ] [Login] To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. [Login with Kerberos] The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into: I like the idea but I'm not sure about the layout. Having one button inside the dialog seems strange a also it will probably look weird. Collapsible sections are worse because you have to click on them so it slow things down. Current implementation has 'forms-based authentication' link selected so user can in most cases hit enter and immediately write username, password and complete login procedure only by using keyboard. Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). So current button: 'retry' is more appropriate. Login - Your password has expired. Please enter a new password: Username: edewata New Password: [ ] Verify Password: [ ] [Reset Password and Login] [Cancel] In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page. Little change, but can be probably more straightforward - will do. 2a. The dialog uses headers in title (the one from #1) and a headers inside (login, reset password). From your examples I'm not sure if you would like to: a) remove the inside headers b) change them to 'login' everywhere c) keep them unchanged 3. I noticed that the password is kept in memory too long by the login dialog so if you go back and forth between the pages the fields are already populated. This might be a security risk. I think the username & password should be cleaned up when you click Back/Cancel. Agree 4. Is there a plan to provide password reset via email? I don't think so. I'm not sure if it is even useful for Freeipa. One of main purposes for Freeipa is SSO and I guess company mail would be kerberized too. So if you forget the password, you can't login, reset and even access mail. I guess using external mail is not the way to go. Maybe it is useful if company uses additional authentication mechanism like pin + token or other. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
On 6/8/2012 10:52 AM, Petr Vobornik wrote: and now the patch... On 06/08/2012 05:51 PM, Petr Vobornik wrote: For those of you who are only interest in user perspective I prepared a set of screenshots to demonstrate workflow of password reset: http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png Patch depends on mkosek #274. Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 It works with mkosek 274-2. Some comments: 1. If you click 'form-based authentication' the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog. 2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this: Login - Your session has expired. Please re-login. To login with username and password: Username:[edewata ] Password:[ ] [Login] To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and [configured] the browser correctly. [Login with Kerberos] The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into: Login - Your password has expired. Please enter a new password: Username:edewata New Password:[ ] Verify Password: [ ] [Reset Password and Login] [Cancel] In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page. 3. I noticed that the password is kept in memory too long by the login dialog so if you go back and forth between the pages the fields are already populated. This might be a security risk. I think the username & password should be cleaned up when you click Back/Cancel. 4. Is there a plan to provide password reset via email? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
and now the patch... On 06/08/2012 05:51 PM, Petr Vobornik wrote: For those of you who are only interest in user perspective I prepared a set of screenshots to demonstrate workflow of password reset: http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png Patch depends on mkosek #274. Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik From f627eb2709ca2a4176c8c6de45e02ba270b7056d Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Fri, 8 Jun 2012 15:02:25 +0200 Subject: [PATCH] Added password reset capabilities to unauthorized dialog Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755 --- install/ui/ipa.js | 349 ++-- install/ui/test/data/ipa_init.json |2 + ipalib/plugins/internal.py |2 + 3 files changed, 301 insertions(+), 52 deletions(-) diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 648fcfc31e1f017aeecd597189b5d4a9789194ae..ffee6f5590620318f515b43d18418716fa9e9798 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -402,6 +402,62 @@ IPA.login_password = function(username, password) { return result; }; +IPA.reset_password = function(username, old_password, new_password) { + +//possible results: 'ok', 'invalid-password', 'policy-error' + +var status, result, reason, invalid, failure, data, request; + +status = 'invalid'; +result = { +status: status, +message: IPA.get_message('password.reset_failure', +"Password reset was not successful.") +}; + +function success_handler(data, text_status, xhr) { + +result.status = xhr.getResponseHeader("X-IPA-Pwchange-Result") || status; + +if (result.status === 'policy-error') { +result.message = xhr.getResponseHeader("X-IPA-Pwchange-Policy-Error"); +} else if (result.status === 'invalid-password') { +result.message = IPA.get_message('password.invalid_password', + "The password or username you entered is incorrect."); +} + +return result; +} + +function error_handler(xhr, text_status, error_thrown) { +return result; +} + +data = { +user: username, +old_password: old_password, +new_password: new_password +}; + +request = { +url: '/ipa/session/change_password', +data: data, +contentType: 'application/x-www-form-urlencoded', +processData: true, +dataType: 'html', +async: false, +type: 'POST', +success: success_handler, +error: error_handler +}; + +IPA.display_activity_icon(); +$.ajax(request); +IPA.hide_activity_icon(); + +return result; +}; + /** * Call an IPA command over JSON-RPC. * @@ -1386,6 +1442,8 @@ IPA.unauthorized_dialog = function(spec) { spec.sections = [ { +name: 'login', +label: 'Login', fields: [ { name: 'username', @@ -1399,6 +1457,35 @@ IPA.unauthorized_dialog = function(spec) { label: IPA.get_message('login.password', "Password") } ] +}, +{ +name: 'reset', +label: 'Reset', +fields: [ +{ +n