> Looks like via consulting work there is support to implement a flow to change
> an expiring password (Active Directory).
> Would such a change password flow be considered for inclusion in the IdP ? Or
> is that out of scope ?
We've historically treated it as out of scope but I know it comes up a lot as an interceptor issue.
I would probably only be interested in it if we had it suitably abstracted so that the change step itself is handled with a subclass of something we provide and people can plug in alternatives, so it's not AD specific.
> FWIW My plan is to use Ldaptive's "Password Modify", but I understand the
> need for abstraction.
Specifically, I'd probably propose a clear base class to extend, and a config that allows for a series of beans to be run (i.e. JAAS like) to implement the change, and then just default to whatever LDAP thing you want to pop in.
> + conditional business logic
> + lockout ? (e.g. too many attempts)
> + log/audit intent to change password
I know people have barked a lot about the audit log not being architected around authentication events but profile events. Might be time to look at adding a layer for having multiple audit streams handling different sorts of events, can be based on the same code I did but just tracks a different set of events and records things at different point in the flows.
> Not familiar enough with JAAS to understand what you mean regarding the
> series of beans, but it makes me think of multiple "change password" steps
> from the above sketch.
It's stackable modules that run in sequence or stop when one succeeds or whatever, PAM-like. My guess is some people will want to propagate the reset to multiple stores, and that if the counter to that is "you should have all that handled by your IDM system" I would argue that means the IdP shouldn't need to do any of this to begin with.
Ldaptive's "Password Modify" is based on the Internet Draft https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 which is the most standard like thing I know of and which is implemented in a number of LDAP implementations.
May be this is the best guess for a "generic way", Scott was talking about in this thread.