New Password Reset Configuration

Last modified 15 Nov 2021 11:25 +01:00
Missing/incomplete feature
This is a missing or incomplete feature of midPoint and/or of other related components. We are perfectly capable to implement, fix and finish the feature, just the funding for the work is needed. Please consider the possibility for supporting development of this feature by means of midPoint Platform subscription. If you already are midPoint Platform subscriber and this feature is within the goals of your deployment you may be able to use your subscription to endorse implementation of this feature.

Motivation

The old Reset Password Configuration is a very limited and somehow non-systemic feature. There is a need for a better replacement.

Basic Mechanism

The idea is that all the password reset mechanisms have the same parts:

  • Request: user requests password reset. This may as simple as a "forgot password" button on a login screen. But there may be complicated methods, such as requesting password reset by asking a colleague or indirect helpdesk password reset scenarios.

  • Authentication: the user that requests password reset is authenticated. This may an complete out-of-band authentication (which effectively means no extra authentication is performed by midPoint). This may an usual authentication using a nonce send in an e-mail message. This may be authentication based on security questions. Or there may be other complex authentication schemes.

  • Source of new credentials specifies how a new credential value is determined. The new value may be entered by the user, randomly generated, determine by a key-exchange protocol and so on.

  • Delivery specifies how the new credential value is delivered to the user. The value may be simply displayed on the screen, sent in an e-mail or even distributed to several colleagues.

Interfaces

This change need to be reflected to the interfaces as well (IDM Model Interface, REST API). There needs to be several new methods:

  • Request method: the caller requests credential reset for a user. This starts the reset process:
    requestCredentialReset(user, credentalId, resetMethodId): CredentialResetContext

  • Authentication method. The caller is authenticated (if needed)

  • Execute method: the credential reset is executed, credentials are changes, deliver methods are carried out:
    executeCredentialReset(user, credentialId, resetMethodId, newCredentialValue)

The usual process would be request-authenticate-execute. However, for simple cases it may be possible to invoke just execute method.

Misc

The progress of the credential reset process may be stored in the user object.

See Also

Was this page helpful?
YES NO
Thanks for your feedback