Help a user change their Codewind remote password

[markcor11]

Codewind version: 0.12.0 OS: Che version: IDE extension version: IDE version: Kubernetes cluster:

Description of the enhancement:

Assist the user when they need to change their password for accessing a remote Codewind deployment.

The user needs to change their password in two places :

1. Desktop : CWCTL currently updates the local password
2. Remote : Keycloak user account needs to be updated with a matching password

CWCTL (IDEs) do allow the user to set a password desktop side but does not change the password in Keycloak. This leaving the two sides disconnected and using different passwords blocking next login.

We do not currently document the steps for changing the password remote Keycloak side other than in the operator guide using the two commands :

kubectl get codewinds to find the Codewind deployment, then kubectl get keycloaks to find the Access URL of connected Keycloak service.

We should make it easier for the user to find this URL or potentially change the password in Keycloak (with their agreement) when CWCTL updates the password locally.

[markcor11]

/area portal

[tobespc]

Whilst we can easily display a help page with info on it, we should also look to see about IDE integration and the use flow through this

[markcor11]

For a Codewind user who has no other privilege than being a user of Codewind then I think it might be nice for the Codewind IDE plugin to be able ask the user to enter a new password and push them over to the Keycloak server using familiar fields like:

Change your password helper
---------------------------

Old password:       [                ]
New password:       [                ]
Verify password:    [                ]

However, if the user account is stored in a 3rd party trusted identity provider and not "our" Codewind Keycloak, then it may not be possible for the user to update the password without visiting that identity provider directly and following their specific password change or reset process.

So with that in mind, I'd prefer to have a common flow which would be:

1. Send the user to their identity provider service either directly using a button supplied via the IDE plugin or by opening up a browser window to Codewind which displays some context help and links to the appropriate identity provider for them to click on.

2. Once the user lands on their identity provider account screen, they can either login (required to change their password or request a new one if they have forgotten theirs). By using a browser we STAY OUT OF THAT FLOW completly and leave it to the Identity provider to handle.

3. The user resets or changes their password in the identity provider as desired.

4. The user then returns to their IDE, opens their connection to Codewind, and updates it with their new password.

That is a very familiar flow used by IDEs today.

For example if a user has a "connection" to LDAP or a MongoDB service, they would first visit those services and create their account / change their password. They would then go back to their IDE and open the corresponding connection and update it with the new password.

I don't think it would be expected that an IDE plugin would or should be able to do account management and in fact doing so would require the client app to have an increased set of account privileges.

So if we agree on that, the changes necessary would be :

1. Add a button or context menu option for the IDE Plugin to open up a web browser page served from Codewind.
2. The addition of a new page which displays help text and a link to the identity provider for the user to click on.
3. Documentation update.

[micgibso]

Won't get done for 0.14.0 so removing from release.