I'm working on implementing this for Horizon, and I have a working view where the user can change their password (https://review.opendev.org/672289). However, for this to be actually usable, the user has to know their user_id somehow. As far as I can tell, there is no way to determine the user_id from username without first authenticating, so the users still can't change their expired passwords.
** Changed in: keystone Status: Invalid => New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1791111 Title: allow change password upon first use as user Status in OpenStack Dashboard (Horizon): Confirmed Status in OpenStack Identity (keystone): New Status in python-openstackclient: New Bug description: It's impossible to reset your password in user level if "change_password_upon_first_use" is set. keystone.conf: [security_compliance] change_password_upon_first_use = True For new users it's impossible to reset your password via keystone. You can only reset the password via an admin, which created the user in the first place. So now the change_password_upon_first_use is kinda useless. (test2@test) [root@controller1 ~]# openstack user password set The password is expired and needs to be changed for user: bd3cc251fe694b15be88c443aa752ec1. (HTTP 401) (Request-ID: req-cdc7ddaf-d2ec-49ac-9708-2693811eb819) Desired situation: User can reset it's own password on first use. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1791111/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp