Closed xx4h closed 3 years ago
@xx4h Thanks for the PRs! Just want to make sure I understand the functionality here, so this would be similar to when a user authenticates via ssh/sssd/pam and they are automatically prompted to change their password? So your PR here will allow mokey to have a similar flow for users that have authenticated successfully but have an expired password?
Correct, like ssh/sssd/pam prompt you. But even more like the normal freeipa webinterface does, if you try to login with an expired password and it redirects you to a page where you can enter your current (expired) password, OTP-token (if needed) and your new password as well as a password confirmation.
@xx4h All sounds great. Thanks again for contributing. I'll try and get this reviewed and merged shortly.
Closed with PR #85
If a user has an expired password the User-Portal Login only says
Invalid login
. FreeIPA actually does give us more information in the response of the API call. The header fieldX-IPA-Rejection-Reason: password-expired
will be present if the login credential were correct, but the password is unfortunately expired (and thus can only be used to set a new password).The base functionality for this first needs to be added to the
goipa
module, which i already created a PR for: ubccr/goipa#8Additionally i already have a working patch for mokey, which i will cleanup now for a PR for mokey.