WSO2IS 5.3.0: For CSRF prevention purposes, we'd like to add captcha to the password reset via recovery email flow. It seems not too difficult to update our accountrecoveryendpoint jsps to do this, but I just wanted to double check if this something that's configurable already.
Form WSO2IS 5.8.0 onwards we support reCAPTCHA for password recovery and username recovery flow. Corresponding docs are https://docs.wso2.com/display/IS580/Password+Recovery
https://docs.wso2.com/display/IS580/Configuring+reCaptcha+for+Password+Recovery
Related
I am using WSO2 IS 5.9.0 and I want to change the pattern of the confirmation code that WSO2 IS send it when you try to recovery the password (/api/identity/recovery/v0.9/recover-password).
This code has the next format: 11ca0057-4111-4b88-1574-142ad65239kl
I want the next format: MXC231D
Can I change the pattern of the confirmation-code in the password recovery email in IS WSO2?
If the response is "Yes", Where can I change it?
Thank you
Currently, it is not allowed to configure the code pattern for account recovery and confirmation flows.
It is generated here if you are planning to patch.
I can't figure out why I can't send email in Django.
I've enabled 2-step verification and generated App Password for this connection.
But Gmail smtp returns:
SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. Learn more at\n5.7.8 https://support.google.com/mail/?p=BadCredentials q29sm16257362qtc.10 - gsmtp')
I thought that using App Password will not cause such errors.
EDIT:
The email uses a custom domain but I guess this is not a problem. I think that smtp.gmail.com should work.
I haven't allowed less secured apps since I think it is not needed with App Password.
I had the same problem with two-factor authentication and allowed less secured apps. It is necessary to use App password ! there is still one last feature to activate: https://accounts.google.com/DisplayUnlockCaptcha
If you have a Gsuite domain click on this link : https://admin.google.com/ac/security/lsa and "Allow users to manage their access to less secure applications"
I am integrating WSO2 IS with our node js backend and react js frontend and was successful in performing operatoins for login,sign up & api calls.
Please help me how i can change password of an existing user using any api of wso2 IS ?
Please help
There are different ways to change password in WSO2 Identity server. You can choose it based on your requirements.
Option1:
Admins can do force password reset for a user account. Please refer to this document for configuring the admin forced password reset.
UserProfileMgtService (a soap service) is used for admin forced password reset. Once the admin invoked the soap service, an email link will be sent to the user's email address and user can change the password by clicking on the verification email/OTP.
Option2:
You can do force password reset via scim patch operation also. Refer to this document for further details about scim patch operation.
Do the required configuration for force password reset. Refer to this document for admin forced password recovery
Add a SCIM 2 schema extension for force password reset.
Choose either
'Enable Password Reset via Recovery Email' or 'Enable Password Reset
via OTP'
Try SCIM2 patch operation to enable force password reset for
a user
curl -v -k --user admin:admin --header
"Content-Type:application/json"
'https://localhost:9443/scim2/Users/[scim_user_id]' -X PATCH -d
'{"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"Operations":
[{"op": "add","value":
{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":
{"forcePasswordReset": true} }}]}
Option3:
You can use UserAdmin soap service to update the user password. Please refer to the soap service here. In WSO2 dashboard also, this admin service is used. You can use this soap services as rest call also. This will directly change the user's password without sending any email notification or verification.
Option4 :
If you need password recovery, in case of user forgot the password, the user can recover the password via email notification or using challenge questions. Please refer to this document to configure the password recovery feature
We use the following feature in WSO2IS 5.3.0
https://docs.wso2.com/display/IS530/Forced+Password+Reset#ForcedPasswordReset-PasswordResetviaRecoveryEmail
This feature sends an email for the user to reset their password, but also sends the user a "Locked Account" email. Is there a way to prevent the "Locked Account" email being sent without modifying the source code of the WSO2 extension that seems to be driving this feature? (in particular, the offending line seems to be here https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/AdminForcedPasswordResetHandler.java#L129 . )
I have checked this feature in both Identity Server version 5.3.0 and 5.5.0. Forced password reset via recovery mail put user account to lock state but it does not send two emails for forced password reset and account lock. Please check your steps.
Find Forced Password Reset claim from wso2 claim dialect (http://wso2.org/claims)
Check Supported by Default on http://wso2.org/claims/identity/adminForcedPasswordReset
Go to user profile, you will find an attribute name Force Password Reset, make it true by typing "true" in text box.
End of third step you should get only single email regarding Admin password rest.
I followed the below steps to enable password recovery using email notification.
https://docs.wso2.com/display/IS530/Password+Recovery
When I click forgot password button on dashboard login page, it asks for username and after that throw below error
Code : 20017
Message :Notification based password recovery is not enabled
I checked code in github and found property recovery.notification.password.enable is used but could not locate in any config file or any documentation. I am using WSO2IS 5.3.0.
How can i enable password recovery through end user dashboard if not mentioned in above mentioned steps.
Assume you are following the old and deprecated method. The steps for new APIs are available at the REST API Guide, It is also linked from the section "Password recovery using REST APIs" in the page you referred.
What you need to do is enable the Notification Based Password Recovery Enabled at the Resident Identity Provider configuration at management console and optionally set the expiry time for notifications.