Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement User Account Recovery V2 API #16536

Closed
Rashmini opened this issue Aug 28, 2023 · 4 comments
Closed

Implement User Account Recovery V2 API #16536

Rashmini opened this issue Aug 28, 2023 · 4 comments
Assignees
@Rashmini
Labels
Fixed/7.0.0 Type/Improvement Type/NewFeature
Milestone
7.0.0-m3

Comments

@Rashmini
Copy link
Contributor

Rashmini commented Aug 28, 2023
edited
Loading

Is your suggestion related to an experience ? Please describe.
We have encountered following issues with the current recovery V1 API [1] we have.

  • When the user submits an OTP in the recovery flow, the OTP itself is used to correlate the user, which is not a correct behaviour.
  • The resend code can be used and refreshed indefinitely to keep resending OTPs to the user/ flooding the OTP services.

Considering the above, we need to provide a new V2 API based on the following approach,

  • There will be a unique identifier(UUID) for a particular password recovery attempt which is bound to a particular user.
  • This identifier will be generated at the recovery flow initiation, and it will not be changed in the rest of the flow.
  • The generated OTP will be bound to the above unique identifier.
  • When the password is reset, the API call should include the above UUID, OTP and the new password.
  • Validation happens for the submitted OTP against the recovery context data retrieved from the UUID in the request.
  • To mitigate possible brute force attacks, the UUID will be invalidated when a certain number of failed OTP validations is exceeded.

UI support for the User Account Recovery V2 API will be onboarded at a later phase.

[1] https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/extend-username-and-password-recovery/#with-internal-notification-management
@Rashmini Rashmini self-assigned this Aug 28, 2023
@Rashmini Rashmini changed the title Implement Password Recovery V2 API Implement User Account Recovery V2 API Aug 28, 2023
This was referenced Aug 28, 2023
Merged
Closed
Merged
@Rashmini
Copy link
Contributor Author

Rashmini commented Aug 28, 2023
edited
Loading

We have decided to disable the current recovery service along with this improvement. A config is introduced to enable/disable the service.

Related PRs:

The following config should be added to the deployment.toml file to enable the service.

[identity_mgt.recovery]
enable_v1_api = true

@Rashmini Rashmini added this to the 7.0.0-alpha milestone Aug 29, 2023
This was referenced Aug 31, 2023
Merged
Merged
Merged
@Rashmini
Copy link
Contributor Author

Rashmini commented Aug 31, 2023
edited
Loading

Recovery V2 API is implemented with:

@Rashmini Rashmini mentioned this issue Sep 4, 2023
Closed
@Rashmini
Copy link
Contributor Author

Rashmini commented Sep 4, 2023

DB migration is tracked with #16576

@Rashmini Rashmini mentioned this issue Sep 4, 2023
Closed
This was referenced Sep 21, 2023
Merged
Merged
@chamathns chamathns modified the milestones: 7.0.0-m3, 7.0.0-alpha Sep 27, 2023
@Rashmini Rashmini moved this from In Progress to Done in Identity Server 7.0.0 Oct 2, 2023
@Rashmini Rashmini mentioned this issue Oct 2, 2023
Merged
@Rashmini Rashmini moved this from Done to In Progress in Identity Server 7.0.0 Oct 2, 2023
@Rashmini Rashmini moved this from In Progress to Done in Identity Server 7.0.0 Oct 2, 2023
@Rashmini Rashmini modified the milestones: 7.0.0-alpha, 7.0.0-m3 Oct 2, 2023
@Rashmini Rashmini closed this as completed Oct 2, 2023
@Rashmini Rashmini mentioned this issue Oct 4, 2023
Closed
@Rashmini
Copy link
Contributor Author

There's an issue in Recovery V2 /confirm API when the channel is EXTERNAL. It will be fixed with #16884

This was referenced Oct 11, 2023
Closed
Closed
@rksk rksk mentioned this issue Nov 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rashmini Rashmini

Labels
Fixed/7.0.0 Type/Improvement Type/NewFeature
Projects
Identity Server 7.0.0
Archived in project
Milestone
7.0.0-m3
Development

No branches or pull requests
4 participants
@madurangasiriwardena @janakamarasena @chamathns @Rashmini