Forced Password Reset Via Email by Admin users In Wso2 IS 5.3.0

Why Forced Password is important?
If a user forgets his credentials and requested the admin to reset his password or the credentials get exposed to outsiders. In both cases admin can forcefully reset the password.


High Level Steps
  • Configuring Identity Server 
  •  Password reset via recovery Email
   
Detailed Instructions 
  • Enable account recovery functionality
    1. Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory.
    2. Configure the relevant property values for the email server that you need to configure for this service under the <adapterConfig type="email"> tag.
     
    <adapterConfig type="email">
    <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
    based authentication rather username/password authentication -->
    <property key="mail.smtp.from">abcd@gmail.com</property>
    <property key="mail.smtp.user">abcd</property>
    <property key="mail.smtp.password">xxxx</property>
    <property key="mail.smtp.host">smtp.gmail.com</property>
    <property key="mail.smtp.port">587</property>
    <property key="mail.smtp.starttls.enable">true</property>
    <property key="mail.smtp.auth">true</property>
    <!-- Thread Pool Related Properties -->
    <property key="minThread">8</property>
    <property key="maxThread">100</property>
    <property key="keepAliveTimeInMillis">20000</property>
    <property key="jobQueueSize">10000</property>
    </adapterConfig>

    3. Start the IS server and login to the management console with admin/admin credentials. 4. Create a new user with the username "tom" and update his user profile with a valid email address and other information.
    5. Create a new role called "test role" with login permissions and assign it to the new user, "test".
    6. Login to the dashboard as Tom. The login should be successful.
    7. Click on Resident under Identity Providers found in the Main tab.
    8. Expand the Account Management Policies tab.
    9. Expand the Password Reset tab and enable 'Enable Password Reset via Recovery Email'.
    10. Create a new SOAP-UI project by importing below the WSDL: https://localhost:9443/services/UserProfileMgtService?wsdl.
    11. Use the setUserProfile method to send a soap request to update the http://wso2.org/claims/identity/adminForcedPasswordReset claim of the project.

    12. Login to the email account you provided in test user profile

    Expected Outcome
    There will be a new email with an OTP (one time password) provided to login to the account.






     

Comments

  1. AnonymousJune 11, 2017 at 10:17 PM

    In order to make it send emails from our own gmail account the steps added will need to be followed...

    https://www.authsmtp.co.uk/gmail/index.html

    ReplyDelete
  2. quasimkageyMarch 3, 2022 at 6:49 AM

    Harrah's Cherokee Casino & Hotel - Mandiri Hub
    Harrah's 당진 출장안마 Cherokee Casino 하남 출장안마 & Hotel is Cherokee's premier integrated casino resort. Visit us 의왕 출장안마 for non-stop gaming action, dining, shopping, 양산 출장샵 entertainment 서울특별 출장안마 and more.

    ReplyDelete

Post a Comment

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

When we are invoking an endpoint in oauth2 war from a javascript of a web app which is located in a different domain than identity server domain we are getting "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXXXXXX is therefore not allowed access." The issue is occurring as the script on your page is running from a specifc domain and would try to request the resource via an XmlHttpRequest or XDomainRequst from a different domain as this is a cross -origin request. In order to get rid of this we need to enable this by sending below header using a custom filter.  Access-Control-Allow-Origin: http: //example.com   (Here  http://example.com is the domain name of where page with that script is hosted) Invoking UserInfo endpoint of wso2 Identity Server from JavaScript We have two possible solutions to apply the CORS header.  1. Customizing OpenIDConnectUserEndpoint.java as below and replacing the oauth
Read more

JWKS endpoint of wso2 IS

What is JWKS endpoint? The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification . Try JWKS endpoint with Identity Server The endpoint url for the super tenant: https://localhost:9443/oauth2/jwks The jwks for the super tenant will be as follows: { "keys" : [ { "alg" : "RS256" , "kty" : "RSA" , "use" : "sig" , "n" : " AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5 " , "e" : "AQAB" , "kid" : " d0ec514a32b6f88c0abd12a2840699bdd3deba9d "
Read more

DCR VS DCRM with WSO2 Identity server

Image
What is DCR (Dynamic Client Registration) Dynamic Client registration is a protocol which allows OAuth clients to register applications in an authorization server. Before this mechanism which is introduced from the spec [1] the client registration happened manually. With this implementation the client registration could be done in two ways.  - A client can be registered dynamically with the authorization server itself  - A programmer can register a client programmatically. Following is the protocol flow of DCR 1. A client sends a registration request with as follows. This should be a post request. 2. Server sends information response with 201 created. Request : POST   https://localhost:9443/api/identity/oauth2/dcr/v1.0/register HTTP/1.1 Authorization : Basic   YWRtaW46YWRtaW4= Content-Type :   application/json Content -Length :   114 Host: localhost :9443 {    "redirect_uris" : [      " http://localhost"    ],   
Read more