-
Notifications
You must be signed in to change notification settings - Fork 23
sts 3.3 spec
In general, there are three types of password change:
- password change to a new one
- password change of an expired password
- password reset of a forgotten password
We are planning for 3.3 to support password change for cases 1 and 2, and that they be handled the same way for 3.3 (i.e. enter old, enter new, confirm new). We will use this solution and then add in password change type #3 and the more secure reset methodology as an enhancement for a future release (with the more secure methodology as a configurable option that could be used for #2 as well if the cloud admin wants that).
Currently password based authentication is done using basic HTTP Auth:
- The HTTP request passes encoded values through the Authorization header.
- The passed values are processed in
TokensQueryPipeline
. -
TokensQueryPipeline
submits an instance ofAccountUsernamePasswordCredentials
with the needed bits -
PasswordLoginModule
verifies the existence of the related accound and user. -
PasswordLoginModule
attempts to callPasswordAuthentication.authenticate
- If
PasswordAuthentication.authenticate
succeeds, thenPasswordLoginModule
checks for expiration. - If the password is expired a
CredentialExpiredException
is produced.
In this case, a previous call to obtain a token resulted in CredentialExpiredException
and the expected behaviour of the caller is to prompt user for a new-password and resubmit the request with old and new password information.
The following changes are needed:
- The new password has to be included in the request somehow
- The new password has to be checked before throwing
CredentialExpiredException
as this is an attempt to update. - The new password has to be checked on a valid current password as it may also be an attempt to update the password.
- When the new password is provided in one of the above cases, the user's password should be updated.
tag:rls-3.3