Open in app

Sign in

Write

Sign in

Per-User Security Question Based Password Recovery Management with WSO2 Identity Server

Chamath
3 min readDec 16, 2022
Photo by regularguy.eth on Unsplash

With the inclusion of per-user functionality locking in WSO2 Identity Server, an admin user can lock and unlock functionalities on a per-user basis. This allows for a fine-grained control over functionalities which a particular user is allowed to use. In this piece, I will walk you through how you can configure per-user functionality locking for Security Question based Password Recovery functionality with WSO2 Identity Server.

Prerequisites

Before you begin, please make sure the prerequisites for using the Configuration Management REST APIs are met. You can find the necessary prerequisites here.

Step 1: Add tenant-wide properties for security question based password recovery

You need to add the properties related to the functionality which affects all the users in a tenant. These properties are,

  • MaxAttempts :- Maximum attempts allowed for a user
  • LockoutTime :- Time the functionality is locked for a user in minutes
  • TimeoutRatio :- Ratio the functionality lockout time is increased upon exceeding the maximum number of attempts

In this example, I will use the following values for these properties.

MaxAttempts = 5
LockoutTime = 5
TimeoutRatio = 2

To set these properties, first we must define a resource type using the Configuration Management REST APIs.

To store the per user functionality locking tenant-wise configurations, follow the steps given below:

  1. Start the WSO2 Identity Server.
  2. Open a terminal window and run the following commands.

Sample Request

curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "functionalityLock", "description": "This is the resource type for per user functionality locking."}'

This would create the new resource-type, “functionalityLock” in the configuration store.

Upon successful creation of a resource-type, the following response would be returned.

Sample Response

{
    "name": "functionalityLock",
    "id": "05f3996c-be3a-43b4-917e-2ae12a304d9b",
    "description": "This is the resource type for per user functionality locking.",
    "links": []
}

Next, we need to create a resource for the functionality we are trying to configure. For that, enter the following command in a terminal window. In the same request, we are defining the property values mentioned earlier as well.

Sample Request

curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "SecurityQuestionBasedPasswordRecovery", "attributes": [{"key": "MaxAttempts", "value": "5"}, {"key": "LockoutTime", "value": "5"}, {"key": "TimeoutRatio", "value": "2"}]}'

Sample Response

{
    "resourceId": "c4357c84-5e4f-452e-9121-33cd1e655470",
    "tenantDomain": "carbon.super",
    "resourceName": "SecurityQuestionBasedPasswordRecovery",
    "resourceType": "functionalityLock",
    "lastModified": "2020-06-12T07:32:44.429Z",
    "created": "2020-06-12T07:32:44.429Z",
    "attributes": [
        {
            "key": "MaxAttempts",
            "value": "5"
        },
        {
            "key": "LockoutTime",
            "value": "5"
        },
        {
            "key": "TimeoutRatio",
            "value": "2"
        }
    ],
    "files": [
        {
            "href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file",
            "rel": "file"
        }
    ]
}

Next, assume you want to update the configuration properties set for security question based password recovery. To do that, enter the following command in a terminal window. In this example, I will be updating the “MaxAttempts” property value to 3.

Sample Request

curl -k -X PUT https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"key": "MaxAttempts", "value": "3"}'

Sample Response

{"key":"MaxAttempts","value":"3"}

Once these steps are completed, run the following curl command to retrieve the ‘SecurityQuestionBasedPasswordRecovery’ resource that you created above.

Sample Request

curl -k -X GET https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4='

Sample Response

{
    "resourceId": "851827f8-1a38-4847-a8dc-db9fb97407ad",
    "tenantDomain": "carbon.super",
    "resourceName": "SecurityQuestionBasedPasswordRecovery",
    "resourceType": "functionalityLock",
    "lastModified": "2020-06-12T07:53:16Z",
    "created": "2020-06-12T07:52:14Z",
    "attributes": [
        {
            "key": "MaxAttempts",
            "value": "3"
        },
        {
            "key": "TimeoutRatio",
            "value": "2"
        },
        {
            "key": "LockoutTime",
            "value": "5"
        }
    ],
    "files": [
        {
            "href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file",
            "rel": "file"
        }
    ]
}

Thanks for reading!

Wso2
Wso2is
Password Management

--

--

Chamath

Written by Chamath

104 Followers

I write for my own amusement.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams