Per-User Security Question Based Password Recovery Management with WSO2 Identity Server
With the inclusion of per-user functionality locking in WSO2 Identity Server, an admin user can lock and unlock functionalities on a per-user basis. This allows for a fine-grained control over functionalities which a particular user is allowed to use. In this piece, I will walk you through how you can configure per-user functionality locking for Security Question based Password Recovery functionality with WSO2 Identity Server.
Prerequisites
Before you begin, please make sure the prerequisites for using the Configuration Management REST APIs are met. You can find the necessary prerequisites here.
Step 1: Add tenant-wide properties for security question based password recovery
You need to add the properties related to the functionality which affects all the users in a tenant. These properties are,
- MaxAttempts :- Maximum attempts allowed for a user
- LockoutTime :- Time the functionality is locked for a user in minutes
- TimeoutRatio :- Ratio the functionality lockout time is increased upon exceeding the maximum number of attempts
In this example, I will use the following values for these properties.
MaxAttempts = 5
LockoutTime = 5
TimeoutRatio = 2
To set these properties, first we must define a resource type using the Configuration Management REST APIs.
To store the per user functionality locking tenant-wise configurations, follow the steps given below:
- Start the WSO2 Identity Server.
- Open a terminal window and run the following commands.
Sample Request
curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "functionalityLock", "description": "This is the resource type for per user functionality locking."}'
This would create the new resource-type, “functionalityLock” in the configuration store.
Upon successful creation of a resource-type, the following response would be returned.
Sample Response
{
"name": "functionalityLock",
"id": "05f3996c-be3a-43b4-917e-2ae12a304d9b",
"description": "This is the resource type for per user functionality locking.",
"links": []
}
Next, we need to create a resource for the functionality we are trying to configure. For that, enter the following command in a terminal window. In the same request, we are defining the property values mentioned earlier as well.
Sample Request
curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "SecurityQuestionBasedPasswordRecovery", "attributes": [{"key": "MaxAttempts", "value": "5"}, {"key": "LockoutTime", "value": "5"}, {"key": "TimeoutRatio", "value": "2"}]}'
Sample Response
{
"resourceId": "c4357c84-5e4f-452e-9121-33cd1e655470",
"tenantDomain": "carbon.super",
"resourceName": "SecurityQuestionBasedPasswordRecovery",
"resourceType": "functionalityLock",
"lastModified": "2020-06-12T07:32:44.429Z",
"created": "2020-06-12T07:32:44.429Z",
"attributes": [
{
"key": "MaxAttempts",
"value": "5"
},
{
"key": "LockoutTime",
"value": "5"
},
{
"key": "TimeoutRatio",
"value": "2"
}
],
"files": [
{
"href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file",
"rel": "file"
}
]
}
Next, assume you want to update the configuration properties set for security question based password recovery. To do that, enter the following command in a terminal window. In this example, I will be updating the “MaxAttempts” property value to 3.
Sample Request
curl -k -X PUT https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"key": "MaxAttempts", "value": "3"}'
Sample Response
{"key":"MaxAttempts","value":"3"}
Once these steps are completed, run the following curl command to retrieve the ‘SecurityQuestionBasedPasswordRecovery’ resource that you created above.
Sample Request
curl -k -X GET https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4='
Sample Response
{
"resourceId": "851827f8-1a38-4847-a8dc-db9fb97407ad",
"tenantDomain": "carbon.super",
"resourceName": "SecurityQuestionBasedPasswordRecovery",
"resourceType": "functionalityLock",
"lastModified": "2020-06-12T07:53:16Z",
"created": "2020-06-12T07:52:14Z",
"attributes": [
{
"key": "MaxAttempts",
"value": "3"
},
{
"key": "TimeoutRatio",
"value": "2"
},
{
"key": "LockoutTime",
"value": "5"
}
],
"files": [
{
"href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file",
"rel": "file"
}
]
}
Thanks for reading!