May 14, 2018 at 10:45 pm #21844AshParticipant
I want to understand if there is a possibility in OpenAM or OpenIDM where a REST API call can be made to set a user’s new password after his password expires.
There is an option in forgot password API that would utilize the token from email to reset a user’s password without asking for current or existing password.
I want to implement a similar workflow through user self-service that allows user to login first and if the password is expired, prompts them to reset their passwords (current worflow asks user to enter “old password” first).
I believe an admin will have sufficient rights to be able to call such API to reset without knowledge of the user’s old password. Can a similar flow be implemented as a self service?
Appreciate any help.May 15, 2018 at 8:46 am #21846Andy CoryParticipant
Have you considered using a custom authentication module for this? Given your description says that the user logs in first, and then you want to check if the password is expired and prompt the user to take action, it would seem to fit the functionality of an authentication module.
-AndyMay 16, 2018 at 4:38 pm #21868AshParticipant
Thank you for your response. I haven’t tried custom Authentication module but change password can be assumed to be something similar to an “Update Identity” API call right? That presumably will require Admin token to process the change of password. I was wondering if a self-service UI can implement the same functionality without the requirement of Admin token.
Custom Authentication Module documentation is very limited on FR so I’m not sure how to implement this feature using Authen module. Can you direct me to any blog that can be of help?
Appreciate your help.
Ash.May 23, 2018 at 6:04 pm #21909Andy CoryParticipant
You are right in that it requires certain admin privileges to update a user’s password. It’s possible to get hold of an admin token programatically within a custom auth module, though.
Are you driving OpenAM using the REST APIs from your own application rather than using the XUI? If so, that gives you the flexibility to orchestrate the requests to OpenAM. If you try to authenticate using a password that the password policy says is expired, you’ll get a 401 response with a message of “Your password has expired. Please contact service desk to reset your password”. Your app could act on that message to call a custom auth module that expects a username and the new password, and the code within the module could then update the password. That doesn’t answer your question about writing your own modules, but the answer might not be relevant if using a custom module doesn’t fit your use-case – and I’ve made quite a lot of assumptions about that.
You must be logged in to reply to this topic.