On Thu, Sep 6, 2018 at 5:31 PM Vithursa Mahendrarajah <vithu...@wso2.com> wrote:
> Hi Dulanja, > > Please find my answers in-line: > > On Thu, Sep 6, 2018 at 10:45 AM Dulanja Liyanage <dula...@wso2.com> wrote: > >> Hi Vithursa, >> >> Few questions: >> >> 1. What happens when the user enters a wrong username? As a security best >> practice, the returned message must not indicate that the username is >> invalid. Because, a rogue user can determine valid usernames of the system >> by using this feature (i.e. username harvesting). Therefore, for both valid >> and invalid usernames, system should show a message similar to "A password >> reset email has been sent to the registered email address". >> > > As per current implementation, it returns message to indicate that the > user name is invalid. I am agreeing with the point you mentioned, but on > the other hand, it will not give a proper guide in situation like when user > mistakenly enters their user name wrong. I checked this feature in other > accounts as well which indicate whether the user name is valid or not. > >> >> 2. How are you storing the confirmation codes against the user? Is it as >> a claim of the user or in the registry? >> > > I hoped to store it as a claim of user (admin has access to confirmation > code). > IMO this is not correct. Then the users who can view the user profiles of others, can view the confirmation codes? Then they can change the passwords of those users using those confirmation codes. > 3. What is the validity of the confirmation code and how you plan to >> cleanup the expired/used codes? >> > > We can define it to be a day and store generated time along with the > code. Regarding the cleanup of used codes, once the user clicks on the > link, gets verified and resets password. we can remove the confirmation > code after successful reset. It won't be valid thereafter. > Regarding the cleanup of expired codes,we do not need to remove expired > codes as there will be one code per user, validating expiry of confirmation > code would be enough. If it is necessary, we can do it by weekly scheduled > task. > Better to have a scheduled task, otheriwse the table will be grown if users won't click on the email link. > > Also, to verify the confirmation code, we can have two options as: > > 1. Send redirect link in mail (we have this in previous version) > 2. Send confirmation code (which user should enter to continue > password reset, like in Facebook) > > Which one would be more feasible to have. Provide your thoughts. > In API wise there is no much difference between both options. We better to support both options. > Thanks, > Vithursa > Thanks Isura. > >> Thanks, >> Dulanja >> >> >> On Wed, Sep 5, 2018 at 11:02 PM, Vithursa Mahendrarajah < >> vithu...@wso2.com> wrote: >> >>> [Update] >>> >>> Hi all, >>> >>> I have implemented UI changes to accommodate password reset feature. >>> Forgot password option in login page [Img-1], requesting user name for >>> validating the user [Img-2], redirection page [Img-3] and page to reset >>> password [Img-4]. >>> In back end, I have implemented a MSF4J endpoint to validate the entered >>> user name. Currently, I am implementing REST APIs in carbon-auth to >>> generate random code (Using secureRandom [1]) and to send notifications >>> with link to reset password. >>> >>> [1] >>> https://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html >>> >>> Thanks, >>> >>> On Thu, Aug 23, 2018 at 10:10 AM Ishara Cooray <isha...@wso2.com> wrote: >>> >>>> +1 to make password-rest as the base path if we are not going to have >>>> any other apis other than password reset. >>>> >>>> since clicking on the url in the e-mail is something that is confirming >>>> the password reset action I would suggest to change the endpoint as >>>> *confirm >>>> *than notify >>>> >>>> /initiate >>>>> /confirm - endpoint gets called when user clicks on the link, >>>>> validates the confirmation key >>>>> / >>>>> >>>> >>>> Hope we can use the same password-reset api for change password request >>>> as well. >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Tue, Aug 21, 2018 at 5:43 PM, Sanjeewa Malalgoda <sanje...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Aug 21, 2018 at 5:31 PM Vithursa Mahendrarajah < >>>>> vithu...@wso2.com> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> As per suggestions, I will work on reset password feature. Proposed >>>>>> flow of implementation for this feature is as follows: >>>>>> >>>>>> [image: first_reset.png] [image: >>>>>> second_reset.png] >>>>>> >>>>>> We need following APIs to handle reset password request: >>>>>> /password-reset-initiate - generates a confirmation key >>>>>> /password-reset-notify - endpoint gets called when user clicks on >>>>>> the link, validates the confirmation key >>>>>> /password-reset - end point to reset password, ultimately >>>>>> calls SCIM API for updating user >>>>>> >>>>> If we consider rest best practices then this URL pattern might need to >>>>> change. password-rest can be a base path and /initiate, /notify etc can be >>>>> operations perform on service. >>>>> Also please see URL patterns of other service providers. >>>>> >>>>> Thanks, >>>>> sanjeewa. >>>>> >>>>>> >>>>>> Password-reset-initiate and password-reset endpoints are associated >>>>>> with client_credentials grant types. We can add separate scopes to these >>>>>> resources to enhance security. >>>>>> Here, do we need to have dedicated end-point that can be used to >>>>>> reset password for users in API store or can we have a common end-point >>>>>> that is used to reset password like we had in IS. >>>>>> >>>>>> Please provide your thoughts and feed back. >>>>>> >>>>>> Thanks, >>>>>> Vithursa >>>>>> >>>>>> On Tue, Aug 21, 2018 at 11:49 AM Thilini Shanika <thili...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Are we planning to implement the account locking feature for 3.0.0 >>>>>>> release? Since we had this in 2.5/2.2 and this is a feature that we >>>>>>> always >>>>>>> suggest to enable in order to eliminate some of the security threats >>>>>>> (ie: >>>>>>> Password guessing attacks). If we are going to implement 'forgot >>>>>>> password' >>>>>>> feature, its better to consider implementing this as well. WDYT? >>>>>>> >>>>>>> On Tue, Aug 21, 2018 at 4:44 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>>>>>> >>>>>>>> I don't think we should decide the priority of the feature based on >>>>>>>> how easy it is to implement. The priority should be decided based on >>>>>>>> its >>>>>>>> importance. To me, someone forgetting a password is far more likely >>>>>>>> than >>>>>>>> someone wanting to change it. So I would consider 'Forgot Password' as >>>>>>>> a >>>>>>>> must have feature and 'Change Password' as a good to have one. >>>>>>>> >>>>>>>> The other reason this thread made me think about the 'Forgot >>>>>>>> Password' feature is that if we implement that feature, we can address >>>>>>>> the >>>>>>>> change password capability through the same feature. We don't have to >>>>>>>> implement two features to address the two use cases. So, two birds >>>>>>>> with one >>>>>>>> stone. Less code, less bugs and less work. >>>>>>>> >>>>>>>> On Tue, Aug 21, 2018 at 1:34 AM Ishara Cooray <isha...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> +1 to implement change password feature first as it is simpler >>>>>>>>> than forgot password feature which involves user verification. >>>>>>>>> Also for the forgot password feature we can either send an email >>>>>>>>> with a temporary password or redirect to the change password. >>>>>>>>> Even if we send a temporary password we will need to ask to change >>>>>>>>> the password. >>>>>>>>> >>>>>>>>> Hi Vithursa, >>>>>>>>> >>>>>>>>> I would suggest having another required property call >>>>>>>>> *retypeNewPassword >>>>>>>>> *for new password verification. >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2018 at 5:08 PM, roshan wijesena < >>>>>>>>> roshan86...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Do we have any send an email to user feature in apim 3 road map ? >>>>>>>>>> >>>>>>>>>> On Mon, Aug 20, 2018 at 7:56 PM Sanjeewa Malalgoda < >>>>>>>>>> sanje...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Forgot password feature should comes with some sort of user >>>>>>>>>>> verification(enter security question or send email verification, sms >>>>>>>>>>> verification etc). >>>>>>>>>>> That feature need to implement with some extensions as all are >>>>>>>>>>> not using same verification process. >>>>>>>>>>> So i think we can first complete this and come back to that >>>>>>>>>>> feature. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> sanjeewa. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Aug 20, 2018 at 11:42 AM Mushthaq Rumy < >>>>>>>>>>> musht...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> +1. I too think that forgot password option is more important >>>>>>>>>>>> and it is not yet implemented. I would prefer if we start on that >>>>>>>>>>>> first. >>>>>>>>>>>> >>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>> Mushthaq >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Nuwan Dias <nuw...@wso2.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Do we have a forgot password option on the Store? I would >>>>>>>>>>>>> think that is more important for an API Store than a change >>>>>>>>>>>>> password >>>>>>>>>>>>> functionality. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Aug 20, 2018 at 11:22 AM Vithursa Mahendrarajah < >>>>>>>>>>>>> vithu...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> I am working on $subject in APIM 3.0.0. Planned flow of >>>>>>>>>>>>>> implementation is as follows: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [image: new_password_mail.png] >>>>>>>>>>>>>> We have SCIM API [1] for updating user-info. A separate REST >>>>>>>>>>>>>> API can be implemented to provide the feature to change password >>>>>>>>>>>>>> by >>>>>>>>>>>>>> wrapping mentioned SCIM API. The sample resource could be as, >>>>>>>>>>>>>> >>>>>>>>>>>>>> PasswordChangeRequest: >>>>>>>>>>>>>> title: Request for changing password >>>>>>>>>>>>>> required: >>>>>>>>>>>>>> - username >>>>>>>>>>>>>> - currentPassword >>>>>>>>>>>>>> - newPassword >>>>>>>>>>>>>> properties: >>>>>>>>>>>>>> username: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> currentPassword: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> newPassword: >>>>>>>>>>>>>> type: string >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please provide your thoughts and feedback on this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Nuwan Dias >>>>>>>>>>>>> >>>>>>>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>>>>>>> email : nuw...@wso2.com >>>>>>>>>>>>> Phone : +94 777 775 729 >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>> Email : musht...@wso2.com >>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>> >>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Sanjeewa Malalgoda* >>>>>>>>>>> WSO2 Inc. >>>>>>>>>>> Mobile : +94 712933253 >>>>>>>>>>> >>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>>>>>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>>>>>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> Architecture@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Nuwan Dias >>>>>>>> >>>>>>>> Director - WSO2, Inc. http://wso2.com >>>>>>>> email : nuw...@wso2.com >>>>>>>> Phone : +94 777 775 729 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thilini Shanika >>>>>>> Associate Technical Lead >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>> >>>>>>> E-mail: tgtshan...@gmail.com >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Vithursa Mahendrarajah >>>>>> Software Engineer >>>>>> WSO2 Inc. - http ://wso2.com >>>>>> Mobile : +947*66695643* >>>>>> >>>>>> >>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>> <http://wso2.com/signature>* >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Sanjeewa Malalgoda* >>>>> WSO2 Inc. >>>>> Mobile : +94 712933253 >>>>> >>>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>>> :http://sanjeewamalalgoda.blogspot.com/ >>>>> <http://sanjeewamalalgoda.blogspot.com/> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Vithursa Mahendrarajah >>> Software Engineer >>> WSO2 Inc. - http ://wso2.com >>> Mobile : +947*66695643* <+94%2077%20819%201300> >>> >>> >>> * <http://wso2.com/signature> <http://wso2.com/signature> >>> <http://wso2.com/signature>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Vithursa Mahendrarajah > Software Engineer > WSO2 Inc. - http ://wso2.com > Mobile : +947*66695643* <+94%2077%20819%201300> > > > * <http://wso2.com/signature> <http://wso2.com/signature> > <http://wso2.com/signature>* > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Isura Dilhara Karunaratne* Associate Technical Lead | WSO2 <http://wso2.com/> *lean.enterprise.middleware* Email: is...@wso2.com Mob : +94 772 254 810 Blog : http://isurad.blogspot.com/
initiate
Description: Binary data
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
