I am following this guide to allow the users to reset the password using email. The problem is when the user requests "password reset link" for multiple times, the old links generated are not invalidated. (Password can be reset using either the latest link or old links).
Is there any parameter I can set to invalidate the old links?
There is a property file called identity-mgt.properties which you can find in the /repository/conf/identity/ directory.
In this property file, there is a property called Notification.Expire.Time which you could use to set the confirmation code expire time in munites.
Notification.Expire.Time denotes the expiration time of the confirmation code. Even in a notification recovery scenario a confirmation code is generated. If notification is done via email, the link sent to the user for verification will include the confirmation code. Therefore, once the user clicks that link, the confirmation code will be verified. Thus, you can use this property to validate the link.
Currently, generated confirmation codes will invalidate only once user change his password successfully. So as you have mentioned user will be able to recover his password using any confirmation code he has retrieved. And when user successfully change the password, all the confirmation codes generated before that would be invalidated. This is the default behaviour for now and we don't have a configuration to change that.
Related
I'm trying to implement the next logic in AWS Cognito:
AWS lambda catch CustomMessage_ForgotPassword event,
Lambda function returns HTML template, which contains Reset code and what I'm trying to do is to adding a button with the link, which should redirect user to the Cognito form, where he enter Code + new password.
I've create link https://${ENVIRONMENT}/confirmForgotPassword?client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_APP}&scope=openid%20profile%20email&response_type=token&user_name=${userName}&confirmation_code={####}.
When I click on the link inside email I navigate to the page, which shows me an error:
I would like to navigate:
The question: Is it possible to send a code with the constructed link to the form by email?
Lambda function returns HTML template, which contains Reset code and what I'm trying to do is to adding a button with the link, which should redirect user to the Cognito form, where he enter Code + new password.
I don't think this is possible. The person should already be on that page, having just clicked the "reset password" link, which triggered your Lambda function to run, so they shouldn't need another link to the same page. Or they just logged in and landed on the reset page, because you flagged their account as needing to reset the password. In either case, they are already on the page that is waiting for them to read the code your Lambda function generated, and type it into the input field. That page is not designed to be refreshed, or loaded directly, as it could pose a security risk if bots could spam that page with different codes.
I'm trying to create a password to a new user created on WSO2-IS 5.11.0 using the link sent by email, but I'm facing an error after click on Proceed:
In the log it doesn't show anything
Version: 5.11.0
When you get the mail check the password recovery link that you have received. There are two ways that you can find the link.
You can copy the link by right-clicking on the button.
Recovery link at the bottom of the page.
You should see a recovery link as below.
https://localhost:9443/accountrecoveryendpoint/confirmrecovery.do?confirmation=ea626c2f-47f7-4184-b927-5f230686716c&userstoredomain=PRIMARY&username=sominda&tenantdomain=carbon.super&callback=https%3A%2F%2Flocalhost%3A9443%2Fauthenticationendpoint%2Flogin.do%3Fclient_id%3DMY_ACCOUNT%26code_challenge%3Dmiilh2DN9GCQwLQVBn8s99fc2_D9Q8YoCAFX7GA4dLs%26code_challenge_method%3DS256%26commonAuthCallerPath%3D%2Foauth2%2Fauthorize%26forceAuth%3Dfalse%26passiveAuth%3Dfalse%26redirect_uri%3Dhttps%3A%2F%2Flocalhost%3A9443%2Fmyaccount%2Flogin%26response_mode%3Dform_post%26response_type%3Dcode%26scope%3DSYSTEM+openid%26tenantDomain%3Dcarbon.super%26sessionDataKey%3D1ca27665-1d5c-41f6-9e3e-e320139e2b94%26relyingParty%3DMY_ACCOUNT%26type%3Doidc%26sp%3DMy+Account%26isSaaSApp%3Dtrue%26authenticators%3DBasicAuthenticator%3ALOCAL
Check the value for the confirmation param. According to what you have recieved the its value should be %s. This means that the recovery code is not properly set in the email.
The reason for this can be an error when updating the email template. The email template for password recovery should contain a placeholder for confirmation. Make sure the placeholder is as follows.
confirmation={{confirmation-code}}
This should resolve your issue.
Good afternoon,
I'm using Cognito hosted ui with some admin methods to configure my authentication flow.
I'd like my users to have the possibility to reset their own passwords using the Forgot your password? link on the hosted ui which works fine. But an administrator should also be able to force reset any user's password.
For that I use the adminResetUserPassword https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html which works fine excepts that it sends a first verification code by email and then when the users returns on the hosted ui page and enters his (right but old) password, he is redirected to /forgotPassword page, is prompted to enter his username (email) and then receive a second verification code.
The first one is then expired. I find it a bit confusing for the user to receive the verification code twice and the first one is never used.
I reckon I need to find a way to redirect my users to /confirmPassword instead of /forgotPassword which re-triggers a new verification code. Is there a way to do this?
Many thanks,
I have a flask application running on a production environment, and one of the user requested a password reset, which sent out an email to them with a link back to the site for resetting the password.
That email got shared with a third-party probably, and the link got exposed. Now the reset request is being spammed from multiple IP addresses. There is a timer I set using the SECURITY_RESET_PASSWORD_WITHIN config parameter to 30 mins and I can see that it does work as intended, the link is invalidated and throws an error saying the link has expired.
But the default behavior of the Flask-Security package is to re-send the reset email to the user if the token has expired when doing a GET request to the reset page with the expired token. So someone can keep spamming that expired link using
GET /reset/token_id
and the user keeps getting sent reset emails.
What is the correct way to handle this situation?
Once the user changes their password, those tokens should be viewed as 'invalid' and then not send emails any more.
When i use the UserInformationRecoveryService verifyConfirmation Code web service,it should get invalid after it is verified once.We are sending askPassword email after creating a user.User should be able to use that confirmation code only once.
Is there any config need to be modified.??
Currently confirmation codes retrieved at password reset will be only invalidated at successful password reset or at confirmation code expiration. Please follow details here.
As far as I remember, we had a plan to make this configurable, but from the jira I can't find that we have implemented it or not, so most likely we haven't done that yet.