search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
742 stars 722 forks source link

Concerns about the Challenge Question Connector in IS v7.0.0 #20572

Closed sanjulamadurapperuma closed 2 months ago

sanjulamadurapperuma commented 3 months ago

Describe the issue:

The documentation [1] for the Challenge Question Connector (which had been created since IS v7.0.0 no longer includes it out of the box) does not contain comprehensive steps that someone should follow like in official documentation in previous versions of WSO2 Identity Server.

After the last step in [1], the user cannot actually navigate to the new Console and configure properties related to this connector, nor is the user shown the challenge question option when trying out the recovery flows. Instead, they have to add the following deployment.toml configuration to enable the old carbon management console (ideally these configurations should be available via the new console).

[server]
hide_menu_items = []

The user has to then login to the old carbon management console and navigate to the Resident Identity Provider > Account Management > Account recovery and then enable the "Security question based password recovery" option.

Additionally, if the user wants to force the user to answer challenge questions on login, they need to enable the "_Enable forced security questions" option. These details and steps are missing from the documentation [1]. Ideally, this information should be included to prevent any confusion regarding this feature now that it is only available as a connector.

Furthermore, it was noted that compilation errors occur in the add-security-questions.jsp page in the authenticationendpoint web app in WSO2 Identity Server v7.0.0 due to incorrect imports after moving the challenge question feature out as a connector.

<%@ page import="org.wso2.carbon.identity.recovery.model.ChallengeQuestion" %> needs to be changed to <%@ page import="org.wso2.carbon.identity.challenge.questions.recovery.model.ChallengeQuestion" %> and <%@ page import="org.wso2.carbon.identity.recovery.ui.IdentityManagementAdminClient" %> needs to change to <%@ page import="org.wso2.carbon.identity.challenge.questions.ui.IdentityManagementAdminClient" %>.

The above should also be fixed accordingly in addition to the documentation concerns.

[1] - https://github.com/wso2-extensions/identity-challenge-questions/blob/main/docs/config.md

Optional Fields

Related issues:

Suggested labels:

DMHP commented 3 months ago

@asha15 Can you please validate this?

asha15 commented 3 months ago

@asha15 Can you please validate this?

Sure, will check this.

asha15 commented 3 months ago

Hi @sanjulamadurapperuma

The connector documentation only contains the steps [1] related to how to configure the challenge questions connector with Identity server since it’s out of the box. As you mentioned it doesn't contain the documentations related to challenge questions feature. As an improvement we can move the challenge questions related documentation into the connector’s repository.

Since the challenge questions feature is deprecated, it was decided to support challenge questions configuration only in the Carbon Console. If a user wants to enable this feature, they must configure it from the Carbon Console as expected. A separate issue has been created to remove the challenge questions configuration from the management console and move it to the React console in a later release [2].

If a user want to use the challenge questions feature, they should add the connector and the related configuration, following the same steps they followed in previous Identity Server versions to use the challenge questions feature.

When the connector effort was completed, the configuration to enable the resident IDP was:

[resident_identity_provider]
enable = "true"

However this configuration was later updated. We will revise the documentation to reflect the updated configuration and clarify that the connector is only supported in the Carbon Console.

Furthermore, it was noted that compilation errors occur in the add-security-questions.jsp page in the authenticationendpoint web app in WSO2 Identity Server v7.0.0 due to incorrect imports after moving the challenge question feature out as a connector.

<%@ page import="org.wso2.carbon.identity.recovery.model.ChallengeQuestion" %> needs to be changed to <%@ page import="org.wso2.carbon.identity.challenge.questions.recovery.model.ChallengeQuestion" %> and <%@ page import="org.wso2.carbon.identity.recovery.ui.IdentityManagementAdminClient" %> needs to change to <%@ page import="org.wso2.carbon.identity.challenge.questions.ui.IdentityManagementAdminClient" %>.

Your concern is valid, and the class names should be updated. Will work on the fixes.

[1] https://github.com/wso2-extensions/identity-challenge-questions/blob/main/docs/config.md [2] https://github.com/wso2/product-is/issues/19638

Thank you!

asha15 commented 2 months ago

Fixed with: https://github.com/wso2-extensions/identity-challenge-questions/pull/10, https://github.com/wso2/identity-apps/pull/6498