Hi Malithi, I still think Isura has a valid requirement which is not captured in your response above. What Isura is explaining is not a notification flow; rather a 2FV flow.
For example, consider the following use case. If I have to update my challenge question answers, I have to first do a 2FV with my email address. Can this be supported supported based on your explanation above? Thanks & Regards, Johann. On Thu, Dec 12, 2019 at 8:26 AM Malithi Edirisinghe <malit...@wso2.com> wrote: > Hi Isura, > > On Tue, Dec 10, 2019 at 6:20 PM Isura Karunaratne <is...@wso2.com> wrote: > >> Hi Dewni, >> >> >> On Tue, Dec 10, 2019 at 5:50 PM Dewni Weeraman <de...@wso2.com> wrote: >> >>> Hi all, >>> >>> Currently, WSO2 Identity Server only supports email account verification >>> during the self-registration and user onboarding process. There is no >>> feature to trigger the email verification via email notification in a >>> scenario where the user’s email address is updated. >>> >> It would be better if we can generalize the same feature to the other >> claims as well. For example, support email verification for first name, >> last name updates. >> > > Will this be a verification flow. > IMO, this will be just a notification flow, where the user is notified on > a channel preferred, or default on the update of sensitive claims, as an > additional security measure. > > I think we need to clearly separate out, > (1) verifiable flows, verifiable claims, and > (2) notifiable flows and notifiable claims > > and, each would have separate enforcement points. > So, a claim update flow, can either fall into (1) or (2) to generalize > that, we need to identify, > - whether claim gets updated links with a verifiable flow or a notifiable > flow > - resolve the verification method or notification method accordingly > - trigger verification or notification > > For (1), we discussed on an architecture previously, but it was still not > implemented [1]. > So for (2), we laid out the ground with [2], but that's not the subject > here. > > Therefore, as a starting point for (1), I think we can proceed with the > proposed approach, supporting it for email claim only and it has the > ability to easily integrate with the generalized design later as we have > that base. > > >> >> Cheers, >> Isura. >> >>> >>> >> To address this limitation, we will be modifying >>> the UserEmailVerificationHandler [1] to trigger the email account >>> verification process when "emailaddress" claim has been updated. In order >>> to achieve this, the events PRE_SET_USER_CLAIM and POST_SET_USER_CLAIM will >>> be subscribed with the UserEmailVerificationHandler. To persist the changed >>> email address till account verification happens we wish to introduce a new >>> claim called "verificationPendingEmail". Upon email account verification, >>> the new email address will be persisted against the "emailaddress" claim. >>> >>> In a scenario where the user updates the profile with the same email >>> address which has already been verified, we have made the decision not to >>> trigger an email verification. >>> >>> Please find attached the draft user stories and solution implementation >>> documentation. >>> >>> [1] >>> https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java >>> >>> >>> Kind regards, >>> Dewni Weeraman >>> >>> -- >>> Dewni Weeraman | Software Engineer | WSO2 Inc. >>> (m) +94 077 2979049 | (e) de...@wso2.com <nipu...@wso2.com> >>> >>> <http://wso2.com/signature> >>> >>> >>> >> >> -- >> >> *Isura Dilhara Karunaratne* >> Technical Lead | WSO2 <http://wso2.com/> >> *lean.enterprise.middleware* >> Email: is...@wso2.com >> Mob : +94 772 254 810 >> Blog : https://medium.com/@isurakarunaratne >> >> >> >> > [1] [IS] Claim verification API > [2] Supporting Email or Mobile as the Preferred Communication Channel for > Users > > Thanks, > Malithi > -- > *Malithi Edirisinghe* | Technical Lead | WSO2 Inc. > (m) +94 718176807 | (w) +94 11 214 5345 | (e) malit...@wso2.com > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture