WSO2 Identity Server supports Email-based notifications currently. The following describes the configuration needed to send email using axis transport with Identity Server with regard to password recovery.
Here in after {carbon_home} refers to your Identity Server installation directory.
To recover with notification:
Edit the identitymgt.properties file with the following configuration under
{carbon_home}/repository/conf/security
.Notification.Sending.Enable=true Notification.Expire.Time=3 # expire the recovery after 3 minutes. Notification.Sending.Internally.Managed=true UserAccount.Recovery.Enable=true Captcha.Verification.Internally.Managed=false # set this to true if you do not have existing captcha validation module
- Edit the emailadminconfig.xml file with the following configuration under
{carbon_home}/repository/conf/email
. Define a email format with the type “passwordReset”. The following is a sample format:
<configuration type="passwordReset"> <targetEpr>https://localhost:9443/carbon/adminmgt/validator_ajaxprocessor.jsp</targetEpr> <subject>Password Reset Notification</subject> <body> Hi {firstname} We received a request to change the password on the {username} account associated with this email address. If you made this request, please click the link below to securely change your password: {passwordresetlink} If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window. If you did not request to have your {username} password reset, simply disregard this email and no changes to your account will be made. </body> <footer> Best Regards, WSO2 Carbon Teamhttp://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>
- The email sent to user includes the
{passwordresetlink}
replaced with the URL defined within thetargetEprtag
appending theconfirmation={key}
which the Identity Server API caller needs to pass along with the user name. Edit the axis.xml with the following configuration under
{carbon_home}/axis2/
. Uncomment the following in the file and provide the necessary email settings.<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">chamathtest@gmail.com</parameter> <parameter name="mail.smtp.user">chamathtest@gmail.com</parameter> <parameter name="mail.smtp.password">password</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>
Recovering the password with email notification can be achived using the exposed UserInformationRecoveryService where the WSDL can be found in the following URL of your Identity Server installation: https://localhost:9443/services/UserInformationRecoveryService?wsdl.
The service security is implemented using Captcha and confirmation codes having expiry. Also for each communication the generated confirmation code will be not reused the by the service. This makes the services secure and fails repeated attempts to same service. Hence the sequence of calls which the Calling Application must do is as follows for email based recovery.
- getCaptcha() - Generates a captcha
- verifyUser() - Validates the captcha answer and username and returns a new key
- sendRecoveryNotification() - Send an email notification with a confirmation code to user. Need to provide the key from previous call.
- getCaptcha() - Generates a captcha when the user clicks on the URL
- verifyConfirmationCode() - Validates the captcha answer and confirmation code. This returns a key.
- updatePassword() - Updates the password in the system.Need to provide the key from previous call, new password and returns the status of the update, true or false.