We use the following feature in WSO2IS 5.3.0
https://docs.wso2.com/display/IS530/Forced+Password+Reset#ForcedPasswordReset-PasswordResetviaRecoveryEmail
This feature sends an email for the user to reset their password, but also sends the user a "Locked Account" email. Is there a way to prevent the "Locked Account" email being sent without modifying the source code of the WSO2 extension that seems to be driving this feature? (in particular, the offending line seems to be here https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/AdminForcedPasswordResetHandler.java#L129 . )
I have checked this feature in both Identity Server version 5.3.0 and 5.5.0. Forced password reset via recovery mail put user account to lock state but it does not send two emails for forced password reset and account lock. Please check your steps.
Find Forced Password Reset claim from wso2 claim dialect (http://wso2.org/claims)
Check Supported by Default on http://wso2.org/claims/identity/adminForcedPasswordReset
Go to user profile, you will find an attribute name Force Password Reset, make it true by typing "true" in text box.
End of third step you should get only single email regarding Admin password rest.
Related
WSO2IS 5.3.0: For CSRF prevention purposes, we'd like to add captcha to the password reset via recovery email flow. It seems not too difficult to update our accountrecoveryendpoint jsps to do this, but I just wanted to double check if this something that's configurable already.
Form WSO2IS 5.8.0 onwards we support reCAPTCHA for password recovery and username recovery flow. Corresponding docs are https://docs.wso2.com/display/IS580/Password+Recovery
https://docs.wso2.com/display/IS580/Configuring+reCaptcha+for+Password+Recovery
I followed the below steps to enable password recovery using email notification.
https://docs.wso2.com/display/IS530/Password+Recovery
When I click forgot password button on dashboard login page, it asks for username and after that throw below error
Code : 20017
Message :Notification based password recovery is not enabled
I checked code in github and found property recovery.notification.password.enable is used but could not locate in any config file or any documentation. I am using WSO2IS 5.3.0.
How can i enable password recovery through end user dashboard if not mentioned in above mentioned steps.
Assume you are following the old and deprecated method. The steps for new APIs are available at the REST API Guide, It is also linked from the section "Password recovery using REST APIs" in the page you referred.
What you need to do is enable the Notification Based Password Recovery Enabled at the Resident Identity Provider configuration at management console and optionally set the expiry time for notifications.
On Drupal8 board /admin/config/account setting, I've checked box that allow users to register themselves and get approve from admin.
I’ve created a new user account and got confirmation as below:
“Thank you for applying for an account. Your account is currently pending approval by the site administrator.
In the meantime, a welcome message with further instructions has been sent to your email address.”
I’ve never got welcome message even so I could see the user that I’ve created under /admin/people - it was blocked.
I’ve checked spam folders, used different browsers but there were no confirmation email as such…
So, I as admin, unblocked this account - but I still could not login since I don’t have any confirmation email with password.
I could only login user if I, as admin will provide login id and password for user.
Is it possible on Drupal 8 to allow users register themselves and receive confirmation email?
If so, how to do so?
Or there is only admin could register the users and users could not register themself?
Thanks.
SMTP server requires authentication to be enabled.
I’ve tried to send and test sending mail using account that is not connected to my hosting - it wouldn’t work.
So, I have set up a mailbox in the account, updated its details in SMTP AUTHENTICATION section as well as in E-MAIL OPTIONS section.
I sent an email to my test account by saving the configuration and it was successfully delivered.
So, the users could sign up, get confirmations by email and register themselves by changing their passwords.
I am following this guide to allow the users to reset the password using email. The problem is when the user requests "password reset link" for multiple times, the old links generated are not invalidated. (Password can be reset using either the latest link or old links).
Is there any parameter I can set to invalidate the old links?
There is a property file called identity-mgt.properties which you can find in the /repository/conf/identity/ directory.
In this property file, there is a property called Notification.Expire.Time which you could use to set the confirmation code expire time in munites.
Notification.Expire.Time denotes the expiration time of the confirmation code. Even in a notification recovery scenario a confirmation code is generated. If notification is done via email, the link sent to the user for verification will include the confirmation code. Therefore, once the user clicks that link, the confirmation code will be verified. Thus, you can use this property to validate the link.
Currently, generated confirmation codes will invalidate only once user change his password successfully. So as you have mentioned user will be able to recover his password using any confirmation code he has retrieved. And when user successfully change the password, all the confirmation codes generated before that would be invalidated. This is the default behaviour for now and we don't have a configuration to change that.
I'm using the flask-login library, and I haven't been able to find any good tutorials or documentation on how to go about allowing a user to reset their password through an email. What direction/resources can I look at on how to do this? A thorough google search didn't reveal anything useful.
Base logic:
Create reset password form with email field.
When user submit form then you should:
check this email in database
generate undistinguished crypto random secret key (next just secret key)
store this key, current timestamp and user identifier to cache or database
send it to user email or sms
When user apply secret key (for example with url or special form) you should:
validate it (exist, not expired, not used before)
get user identifier
delete or mark as used current secret key
provide logic to enter/generate new password.
Logic to enter/generate password can be different:
login user and show form to enter new password - one time login key
show form to enter password than login if valid
generate new password and send it to user email
generate new secret key for form to enter new password and send it to user email
generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid
flask-login doesn't take care of reset password emails and other such things. Its just there to manage sessions and cookies.
You should use Flask-Security which adds password reset functionality and other common security related features to flask. Flask-Security uses flask-login to handle sessions, but adds other features on top to round out the security features:
Email Confirmation
If desired you can require that new users confirm their email address.
Flask-Security will send an email message to any new users with an
confirmation link. Upon navigating to the confirmation link, the user
will be automatically logged in. There is also view for resending a
confirmation link to a given email if the user happens to try to use
an expired token or has lost the previous email. Confirmation links
can be configured to expire after a specified amount of time.
Password Reset/Recovery
Password reset and recovery is available for when a user forgets his
or her password. Flask-Security sends an email to the user with a link
to a view which they can reset their password. Once the password is
reset they are automatically logged in and can use the new password
from then on. Password reset links can be configured to expire after a
specified amount of time.
User Registration
Flask-Security comes packaged with a basic user registration view.
This view is very simple and new users need only supply an email
address and their password. This view can be overrided[sic] if your
registration process requires more fields.
Flask-Login only provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users’ sessions over extended periods of time. but not reset password, change password, email confirmation etc.
Flask-security was the best and easy option to do these. It pretty much handles everything. but it is not actively maintained.
Note
This project is non maintained anymore. Consider the
Flask-Security-Too project as an alternative. -- From flask-security
Github repo
So i recommend Flask-Security-Too library which is improved version and actively maintained. It also has much more features like 2FA Auth, Unified Sign-In etc
You can install install it using pip
pip install flask-security-too flask-sqlalchemy
and import libraries like
from flask-security import current_user, login_required
There are some complete (but simple) examples available in the examples directory of the Flask-Security repo.
Documentation : https://flask-security-too.readthedocs.io/en/stable/index.html