WSO2-IS - Giving "Invalid Code" after reset password - wso2

I'm trying to create a password to a new user created on WSO2-IS 5.11.0 using the link sent by email, but I'm facing an error after click on Proceed:
In the log it doesn't show anything
Version: 5.11.0

When you get the mail check the password recovery link that you have received. There are two ways that you can find the link.
You can copy the link by right-clicking on the button.
Recovery link at the bottom of the page.
You should see a recovery link as below.
https://localhost:9443/accountrecoveryendpoint/confirmrecovery.do?confirmation=ea626c2f-47f7-4184-b927-5f230686716c&userstoredomain=PRIMARY&username=sominda&tenantdomain=carbon.super&callback=https%3A%2F%2Flocalhost%3A9443%2Fauthenticationendpoint%2Flogin.do%3Fclient_id%3DMY_ACCOUNT%26code_challenge%3Dmiilh2DN9GCQwLQVBn8s99fc2_D9Q8YoCAFX7GA4dLs%26code_challenge_method%3DS256%26commonAuthCallerPath%3D%2Foauth2%2Fauthorize%26forceAuth%3Dfalse%26passiveAuth%3Dfalse%26redirect_uri%3Dhttps%3A%2F%2Flocalhost%3A9443%2Fmyaccount%2Flogin%26response_mode%3Dform_post%26response_type%3Dcode%26scope%3DSYSTEM+openid%26tenantDomain%3Dcarbon.super%26sessionDataKey%3D1ca27665-1d5c-41f6-9e3e-e320139e2b94%26relyingParty%3DMY_ACCOUNT%26type%3Doidc%26sp%3DMy+Account%26isSaaSApp%3Dtrue%26authenticators%3DBasicAuthenticator%3ALOCAL
Check the value for the confirmation param. According to what you have recieved the its value should be %s. This means that the recovery code is not properly set in the email.
The reason for this can be an error when updating the email template. The email template for password recovery should contain a placeholder for confirmation. Make sure the placeholder is as follows.
confirmation={{confirmation-code}}
This should resolve your issue.

Related

Unable to validate account confirmation in WSO2 version 6.0

When I'm validating the account by clicking the link given in email during account verification process(sign up process), I'm getting below error. Can you please suggest what is causing this error?
enter image description here
In the self-registration config section, there is a configuration for callback validation. It is provided as a regex. Make sure you have configured it properly.

Resetting password redirection to myaccount doesn't work as expected

When I create a User in my test application, an email is sent to the user to create a password in order to log in successfully to the application.
In this email, there is a link to set the password. After adding the new password and click the proceed button, we are redirected to the /carbon management page instead of /myaccount page.
By investigating more, I found out that if I try to access My Account Page passing a query param
passwordReset=true I get a 405 Method Not Allowed error.
The version of wso2is is 5.11.0
What is the correct configuration so that after a user sets the password we could redirect him to log in directly to our test application or my account?
You have to append the query parameter callback to define where you want to redirect after the reset. A sample reset password link
eg: https://{is-server}/accountrecoveryendpoint/confirmrecovery.do?confirmation=151cbca7-2961-45d7-a108-49f34ade6aea&userstoredomain=USER&username=sample&callback={test-application-url}&type=reset

Admin SDK generate link to access reset password page

In GSuite, creating a user or resetting a password gives you the option to notify the user by mail. The email contains a link where he can then set a new password.
Is there any way to reproduce that with googleapis ?
Can't find anything related to that in the reference api : https://developers.google.com/admin-sdk/directory/v1/reference/
The response from POST https://www.googleapis.com/admin/directory/v1/users doesn't seem to provide any information to create that link.
Thanks

Invalidating old Reset Password Links in WSO2 Identity Server

I am following this guide to allow the users to reset the password using email. The problem is when the user requests "password reset link" for multiple times, the old links generated are not invalidated. (Password can be reset using either the latest link or old links).
Is there any parameter I can set to invalidate the old links?
There is a property file called identity­-mgt.properties which you can find in the /repository/conf/identity/ directory.
In this property file, there is a property called Notification.Expire.Time which you could use to set the confirmation code expire time in munites.
Notification.Expire.Time denotes the expiration time of the confirmation code. Even in a notification recovery scenario a confirmation code is generated. If notification is done via email, the link sent to the user for verification will include the confirmation code. Therefore, once the user clicks that link, the confirmation code will be verified. Thus, you can use this property to validate the link.
Currently, generated confirmation codes will invalidate only once user change his password successfully. So as you have mentioned user will be able to recover his password using any confirmation code he has retrieved. And when user successfully change the password, all the confirmation codes generated before that would be invalidated. This is the default behaviour for now and we don't have a configuration to change that.

Why I can't confirm un-confirmed accounts?

In my rails app, I discovered that the key :confirmable was not included in the user model, so when I added it, users will have to confirm their email now, what happen is like the following:
user tries to sign in, he will get an error:
You have to confirm your account before continuing.
And a link:
Didn't receive confirmation instructions?
user clicks on the link Didn't receive confirmation instructions? and fills his email
a confirmation email is sent, but when user clicks on the link he get an error:
Some errors were found, please take a look:
But, there is no details about the error, and even in the server logs, there is nothing useful, only:
cache: [GET /en/users/confirmation?confirmation_token=14d82c74793ca19a58aff93d328fb4b06a7c8da53aef79a82c140a95e7cf7f4a] pass
So, how can I get more useful error, or how can I can debug this?