isharak
commented
2 weeks ago This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!
Is your suggestion related to an experience ? Please describe.
Currently, when updating the password from my-account portal, the update functionality is invoked via a SCIM2 patch operation. Since SCIM2 treats password as yet another user attribute, there is no proper way to verify the current password when performing the update operation. For the moment, as the method of validating the current password in my-account portal, we use basic authentication with the username and the current password [1] to authenticate the SCIM2 patch request. If the authentication fails, we consider it as the current password validation failure. However, anyone can invoke a SCIM2 patch call for password update along with a bearer token without having needed to provide the current password. Therefore, we should find an effective mechanism to update password while verifying the current password. That mechanism should be applied to the my-account portal as-well.
[1] https://github.com/wso2/identity-apps/blob/046c7fd2360d373b3c66509f6058e1b1a01f2edb/apps/myaccount/src/api/change-password.ts#L34
Related to : https://github.com/wso2/product-is/issues/8988, https://github.com/wso2/product-is/issues/9461