[prev in list] [next in list] [prev in thread] [next in thread]
List: wsf-javascript-dev
Subject: Re: [Dev] [DEV] [IAM] Updating the password of an authenticated user in SCIM2
From: Ashen Weerathunga <ashen () wso2 ! com>
Date: 2019-08-06 11:24:16
Message-ID: CAKr+rgYEgY=mEd03Jr3MdymLf-tJObTRQbjn8iaYgJkXeu0isA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Brion,
There can be multiple use cases where the users need to change the password
such as forgot password recovery and changing the password manually as they
required.
So in this case we provide the option to change the users password manually
without any recovery options. Therefore as Ruwan mentioned we need to
request the existing password as a security measure. So it's better to go
with that option and it should be validated as well other than just doing
it for improve the user experience. So you may use the provided existing
password to authenticate the /Me API and if It's successful only, the new
password will be updated.
Thanks,
Ashen
On Tue, Aug 6, 2019 at 3:12 PM Ruwan Abeykoon <ruwana@wso2.com> wrote:
> Hi Brion,
>
> The reason we ask to provide the current password is a security measure.
> Someone have the users session should not be able to update the password or
> any primary security related data without proving he has access to that
> information.
>
> For password, the user has to prove that he knows the(existing) password
> for phone number, user has to prove that he owns the phone (OTP)
> for email, he has to prove that he has access to that email account.
> (email confirmation link)
>
> Hence this needs to be done in a generic way, something like verifiable
> claim.
>
> I do not see a problem attaching the existing password as basic auth,
> provided the API is authorized with different mechanism (Token)
> Ideally these kind of data update would need to obtain one time short
> lived token for the patch operation and the token should be revoked after
> first use.
>
>
> Cheers,
> Ruwan A
>
>
> On Tue, Aug 6, 2019 at 2:54 PM Brion Silva <brion@wso2.com> wrote:
>
>>
>>
>> On Tue, Aug 6, 2019 at 2:51 PM Brion Silva <brion@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> I'm in the process of implementing the password reset gadget in the new
>>> IS user portal.
>>>
>>> In the new user-portal, we consume the SCIM2 Me endpoint and we have the
>>> option to update the user's password using the PATCH operation[1]. This
>>> operation does not expect the current password and only rely on the
>>> authentication mechanism enforced for the API. So we need to clarify
>>> following,
>>>
>>> 1. Current user-dashboard have the UI to capture the existing
>>> password. So there will be a difference in user experience.
>>> 2. Will it be aligned with the general practice of the IAM solutions?
>>>
>>> As a workaround we can capture the existing password from the new UI and
>>> call this PATCH operation using a basic auth header. But it will only
>>> provide the existing user-experience.
>>>
>>> Appreciate your inputs on this.
>>>
>>> [1]
>>> https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#MeEndpoint#patchUserMe
>>>
>>> Thanks and Best Regards.
>>> --
>>> *Brion Silva* | Software Engineer | WSO2 Inc.
>>> (m) +94777933830 | (e) brion@wso2.com
>>>
>>> <https://wso2.com/signature>
>>>
>>
>>
>> --
>> *Brion Silva* | Software Engineer | WSO2 Inc.
>> (m) +94777933830 | (e) brion@wso2.com
>>
>> <https://wso2.com/signature>
>>
>
>
> --
> Ruwan Abeykoon | Director/Architect | WSO2 Inc.
> (w) +947435800 | Email: ruwana@wso2.com
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
--
Ashen Weerathunga | Senior Software Engineer | WSO2 Inc.
(m) +94716042995 | (w) +94112145345 | Email: ashen@wso2.com
<http://wso2.com/signature>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Brion,<br><br>There can be multiple use cases where the users need \
to change the password such as forgot password recovery and changing the password \
manually as they required. <br><br>So in this case we provide the option to change \
the users password manually without any recovery options. Therefore as Ruwan \
mentioned we need to request the existing password as a security measure. So it's \
better to go with that option and it should be validated as well other than just \
doing it for improve the user experience. So you may use the provided existing \
password to authenticate the /Me API and if It's successful only, the new \
password will be updated.<br><br>Thanks,<br>Ashen<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 6, 2019 at 3:12 PM \
Ruwan Abeykoon <<a href="mailto:ruwana@wso2.com">ruwana@wso2.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi \
Brion,<div><br></div><div>The reason we ask to provide the current password is a \
security measure. Someone have the users session should not be able to update the \
password or any primary security related data without proving he has access to that \
information.</div><div><br></div><div>For password, the user has to prove that he \
knows the(existing) password</div><div>for phone number, user has to prove that he \
owns the phone (OTP)</div><div>for email, he has to prove that he has access to that \
email account. (email confirmation link)</div><div><br></div><div>Hence this needs to \
be done in a generic way, something like verifiable claim. \
</div><div><br></div><div>I do not see a problem attaching the existing password as \
basic auth, provided the API is authorized with different mechanism \
(Token)</div><div>Ideally these kind of data update would need to obtain one time \
short lived token for the patch operation and the token should be revoked after first \
use.</div><div><br></div><div><br></div><div>Cheers,</div><div>Ruwan \
A</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Tue, Aug 6, 2019 at 2:54 PM Brion Silva <<a \
href="mailto:brion@wso2.com" target="_blank">brion@wso2.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Tue, Aug 6, 2019 at 2:51 PM Brion Silva <<a href="mailto:brion@wso2.com" \
target="_blank">brion@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi All,<br><br>I'm in the \
process of implementing the password reset gadget in the new IS user portal. \
<br><br>In the new user-portal, we consume the SCIM2 Me endpoint and we have the \
option to update the user's password using the PATCH operation[1]. This operation \
does not expect the current password and only rely on the authentication mechanism \
enforced for the API. So we need to clarify following,<div><ol><li>Current \
user-dashboard have the UI to capture the existing password. So there will be a \
difference in user experience.</li><li>Will it be aligned with the general practice \
of the IAM solutions?</li></ol><div>As a workaround we can capture the existing \
password from the new UI and call this PATCH operation using a basic auth header. But \
it will only provide the existing user-experience.</div><div><br>Appreciate your \
inputs on this.<div><br></div><div>[1] <a \
href="https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations%23MeEndpoint%23patchUserMe" \
target="_blank">https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#MeEndpoint#patchUserMe</a><br \
clear="all"><div><br>Thanks and Best Regards.</div>-- <br><div dir="ltr" \
class="gmail-m_-6916591651332055980gmail-m_-677415643392192270gmail-m_-6881580822281547522gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><b>Brion Silva</b> | Software Engineer | WSO2 \
Inc.<div>(m) +94777933830 | (e) <a href="mailto:brion@wso2.com" \
target="_blank">brion@wso2.com</a></div><div><br></div><div><a \
href="https://wso2.com/signature" target="_blank"><img \
src="https://c.content.wso2.com/signatures/wso2-mail-signature-general.png"></a><br></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail-m_-6916591651332055980gmail-m_-677415643392192270gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><b>Brion Silva</b> | Software Engineer | WSO2 \
Inc.<div>(m) +94777933830 | (e) <a href="mailto:brion@wso2.com" \
target="_blank">brion@wso2.com</a></div><div><br></div><div><a \
href="https://wso2.com/signature" target="_blank"><img \
src="https://c.content.wso2.com/signatures/wso2-mail-signature-general.png"></a><br></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail-m_-6916591651332055980gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><span style="color:rgb(136,136,136)">Ruwan Abeykoon | \
Director/Architect | WSO2 Inc.</span><div style="color:rgb(136,136,136)">(w) \
+947435800 | Email: <a href="mailto:ruwana@wso2.com" \
target="_blank">ruwana@wso2.com</a></div></div><div \
style="color:rgb(136,136,136)"><img \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png"><br></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Dev mailing list<br>
<a href="mailto:Dev@wso2.org" target="_blank">Dev@wso2.org</a><br>
<a href="http://wso2.org/cgi-bin/mailman/listinfo/dev" rel="noreferrer" \
target="_blank">http://wso2.org/cgi-bin/mailman/listinfo/dev</a><br> \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div><font color="#888888">Ashen Weerathunga \
| Senior Software Engineer | WSO2 Inc.</font><div style="color:rgb(136,136,136)">(m) \
+94716042995 | (w) +94112145345 | <span>Email</span>: <a \
href="mailto:ashen@wso2.com" style="color:rgb(17,85,204);font-size:12.8px" \
target="_blank">ashen@wso2.com</a></div></div></div><div dir="ltr"><font \
face="georgia, serif" style="color:rgb(136,136,136);font-size:12.8px"><font \
color="#3d85c6"><div dir="ltr"><a href="http://wso2.com/signature" \
style="font-size:12.8px" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png" width="420" \
height="74"></a><br></div></font></font></div><div dir="ltr"><font face="georgia, \
serif" style="color:rgb(136,136,136);font-size:12.8px"><font \
color="#3d85c6"><br><br></font></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic