Change password flow ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Change password flow ?

Tom Zeller-3
Looks like via consulting work there is support to implement a flow to change an expiring password (Active Directory).

Would such a change password flow be considered for inclusion in the IdP ? Or is that out of scope ?

Of course it could just be packaged as a contribution/extension.

I should probably also ask if anyone has done such a flow already.

Tom
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Change password flow ?

Cantor, Scott E.
> Looks like via consulting work there is support to implement a flow to change
> an expiring password (Active Directory).
>
> Would such a change password flow be considered for inclusion in the IdP ? Or
> is that out of scope ?

We've historically treated it as out of scope but I know it comes up a lot as an interceptor issue.

I would probably only be interested in it if we had it suitably abstracted so that the change step itself is handled with a subclass of something we provide and people can plug in alternatives, so it's not AD specific.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Change password flow ?

Tom Zeller-3
> suitably abstracted [...] change step itself

FWIW My plan is to use Ldaptive's "Password Modify", but I understand
the need for abstraction.

Tom

http://www.ldaptive.org/docs/guide/operations/extended/passwordmodify.html
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Change password flow ?

Cantor, Scott E.
> FWIW My plan is to use Ldaptive's "Password Modify", but I understand the
> need for abstraction.

Specifically, I'd probably propose a clear base class to extend, and a config that allows for a series of beans to be run (i.e. JAAS like) to implement the change, and then just default to whatever LDAP thing you want to pop in.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Change password flow ?

Tom Zeller-3
> [snip]

Okay.

WIP sketch of states/steps :

+ conditional business logic
+ lockout ? (e.g. too many attempts)
+ log/audit intent to change password
+ change password
++ validate request (e.g. pwd complexity rules)
++ execute request (default to Ldaptive)
++ handle response
+++ handle error
+++ return something/reroute on success
+ audit
+ notify (e.g. via email to user)
+ increment counters/metrics (e.g. for lockout)

Not familiar enough with JAAS to understand what you mean regarding
the series of beans, but it makes me think of multiple "change
password" steps from the above sketch.

Tom
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Change password flow ?

Cantor, Scott E.
> + conditional business logic
> + lockout ? (e.g. too many attempts)
> + log/audit intent to change password

I know people have barked a lot about the audit log not being architected around authentication events but profile events. Might be time to look at adding a layer for having multiple audit streams handling different sorts of events, can be based on the same code I did but just tracks a different set of events and records things at different point in the flows.

> Not familiar enough with JAAS to understand what you mean regarding the
> series of beans, but it makes me think of multiple "change password" steps
> from the above sketch.

It's stackable modules that run in sequence or stop when one succeeds or whatever, PAM-like. My guess is some people will want to propagate the reset to multiple stores, and that if the counter to that is "you should have all that handled by your IDM system" I would argue that means the IdP shouldn't need to do any of this to begin with.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Change password flow ?

Tom Zeller-3
> propagate the reset to multiple stores

Ah, got it, thanks for saying that.

Tom
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Change password flow ?

Peter Gietz
In reply to this post by Tom Zeller-3
Ldaptive's "Password Modify" is based on the Internet Draft https://tools.ietf.org/html/draft-behera-ldap-password-policy-10
which is the most standard like thing I know of and which is implemented in a number of LDAP implementations.
May be this is the best guess for a "generic way", Scott was talking about in this thread.

Just 2 Cent from a lurker.
Cheers,
Peter


Am 07.06.2018 um 18:16 schrieb Tom Zeller:
>> suitably abstracted [...] change step itself
> FWIW My plan is to use Ldaptive's "Password Modify", but I understand
> the need for abstraction.
>
> Tom
>
> http://www.ldaptive.org/docs/guide/operations/extended/passwordmodify.html

--
To unsubscribe from this list send an email to [hidden email]