search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
742 stars 722 forks source link

/v2/recovery/password/init API only returns one recovery mode at a given time #21106

Open sanjulamadurapperuma opened 2 weeks ago

sanjulamadurapperuma commented 2 weeks ago

Describe the issue:

It was observed that the recover via challenge questions option in the password-recovery-with-claims-options.jsp page in the accountrecoveryendpoint is not visible when triggering a password recovery flow with the challenge questions connector added in IS v7.0.0. The recovery flow that they follow is password recovery with multi claims as mentioned in [1].

It was also observed that upon one restart of WSO2 Identity Server the following REST API [2] that is being invoked in the above JSP page to determine if the recovery options are enabled or not returns only one recovery mode. Upon another server restart it returns another recovery mode, but not all recovery modes at the same time.

curl --location 'https://<IS_HOSTNAME>/api/users/v2/recovery/password/init' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <auth>' \
--data-raw '{
  "claims": [
    {
      "uri": "http://wso2.org/claims/givenname",
      "value": "<givenname>"
    },
    {
      "uri": "http://wso2.org/claims/emailaddress",
      "value": "<email>"
    },
    {
      "uri": "http://wso2.org/claims/lastname",
      "value": "<lastname>"
    }
  ]
}'

This needs to be fixed.

[1] - https://wso2docs.atlassian.net/wiki/spaces/IS570/pages/38176130/Password+Recovery#:~:text=REST%20APIs.-,Password%20recovery%20using%20multiple%20claims,-This%20feature%20allows [2] - https://is.docs.wso2.com/en/latest/apis/user-account-recovery-v2-rest-api/#tag/Password-Recovery/operation/initiatePasswordRecovery

Optional Fields

Related issues:

Suggested labels:

kayathiri4 commented 5 days ago

With the current implementation, we have extended the PasswordRecoveryManager in two places: [1] https://github.com/kayathiri4/identity-governance-s/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java [2] https://github.com/wso2-extensions/identity-challenge-questions/blob/main/components/org.wso2.carbon.identity.challenge.questions.recovery/src/main/java/org/wso2/carbon/identity/challenge/questions/recovery/internal/service/impl/password/ChallengeQuestionPasswordRecoveryManagerImpl.java

Still one of them (randomly picked), is considered in recovery flow. This keeps changing on each startup. https://github.com/wso2/identity-api-user/blob/e43b334788b49d8e4effffa4005c3c3b236f5711/components/org.wso2.carbon.identity.api.user.recovery/org.wso2.carbon.identity.api.user.recovery.commons/src/main/java/org/wso2/carbon/identity/api/user/recovery/commons/factory/PasswordRecoveryManagerOSGIServiceFactory.java#L39

If we get all the services in above code level, we cannot simply call the methods on each of the managers when https://github.com/wso2/identity-api-user/blob/master/components/org.wso2.carbon.identity.api.user.recovery/org.wso2.carbon.identity.rest.api.user.recovery.v2/src/main/java/org/wso2/carbon/identity/rest/api/user/recovery/v2/impl/core/PasswordRecoveryService.java#L108 (Note: Currently challenge question does not implement either of these)

Hence, a proper solution has to discussed.