Hi,

With IS 5.3.0, we have currently provided a Rest API for resending
confirmation code (Refer [1]), which supports only for self signup feature.
So that, we are planning to provide a more generic REST API and a OSGi
service, for resending confirmation code for any scenario.



Following are the scenarios, currently where we are sending confirmation
emails in IS.

   - *Password Reset* - password recovery using email-based notifications
   - *Account Confirmation* - email confirmation on user self registration
   - *Ask Password* - ask password from user through confirmation email
   - *Admin Forced Password Reset*- admin to trigger a password reset for a
   given user account
   - *Admin Forced Password Reset With OTP* -  admin send an email to the
   user with a one time password that the user can use to login once to the
   account after which, the user will be prompted to set a new password
   - *Email Confirmation *- account confirmation through email notification

In there, the confirmation emails get expired after a configured time
period in order to make the accounts secure. After the expiration, we may
need to resend the confirmation emails.

So with this implementation, when we request for resending confirmation
code, previously issued code (even though, it's still not expired), should
get expired and the new confirmation code should considered as active. So
that in any scenario, if a user is requesting to use an expired
confirmation code, we need to redirect the user, to an error page
mentioning of using an expired confirmation link.

In case of user self registration, if request has made for resending
confirmation link, after a account activation, I think it should be handled
in the self registration API (currently Re-Send button to resend the
confirmation link will be appeared in the login page, when we try to login
to an unverified account). We may not need to consider it, when resending
the confirmation code. WDYT?



Other than that, I think we can consider following scenarios as further
improvements. WDYT?

   - In case of a forgery, we may need to expire the confirmation link,
   manually before the configured time (without resending the confirmation
   link).
   - Currently for resending confirmation email for user self registration,
   we have provided support in the login page where user can request to resend
   confirmation link (We have not added this to the documentation, created a
   doc jira in [2]). In order to resend the confirmation emails from admin (or
   user with a required permissions), we can provide support in management
   console to :
      - select the user(s) to whom need to resend the activation email
      - select a role, to send confirmation emails to a group of users -
      here we may need to automatically skip over users who have already
      activated there accounts in case of self registration



Appreciate your ideas and comments on this.

[1]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.user.endpoint/src/main/java/org/wso2/carbon/identity/user/endpoint/impl/ResendCodeApiServiceImpl.java
[2] https://wso2.org/jira/browse/DOCUMENTATION-7189

Thanks and Regards

-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Email    indu...@wso2.com
Mobile   0772182255
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to