This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
Password Recovery
This section describes the usage of the User Information Recovery APIs in WSO2 Identity Server. Using the API there are two ways to recover a lost/forgotten password, i.e., by using email notifications or secret questions. Additionally it is also possible to retrieve the username if forgotten. See the following topics for more information on how to do all this.
Recovery using notifications
WSO2 Identity Server supports password recovery by using email-based notifications. The following describes the configurations required in order to send email using the axis2 mail transport in the WSO2 Identity Server for password recovery.
To recover with notification:
Enable the Identity Listener by setting the following property to
truein the<IS_HOME>/repository/conf/identity/identity.xmlfile.<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>
Edit the identity-mgt.properties file with the following configurations. This file is found in the
<PRODUCT_HOME>/repository/conf/identitydirectory.Notification.Sending.Enable=true Notification.Expire.Time=3 Notification.Sending.Internally.Managed=true UserAccount.Recovery.Enable=true Captcha.Verification.Internally.Managed=false
See the following table for descriptions of these configurations.
Configuration Description Notification.Sending.Enable=true
This enables the email sending function when recovering the account and verifying the user creation
Notification.Expire.Time=3
The time specified here is in minutes. In this case, the recovery expires after three minutes. Notification.Sending.Internally.Managed=true
This enables the internal email sending module. If
false, the email sending data is available to application via a Web service. Thus the application can send the email using its own email sender.UserAccount.Recovery.Enable=true
This enables the user account recovery process. Captcha.Verification.Internally.Managed=false
Set this to trueif you do not have an existing captcha validation module.Ensure that the email-admin-config.xml file has the following configurations. This file is found in the
<PRODUCT_HOME>/repository/conf/emaildirectory. Use the email format with the type “passwordReset”.<configuration type="passwordReset"> <targetEpr></targetEpr> <subject>Password Reset Notification</subject> <body> Hi {first-name} We received a request to change the password on the {user-name} account associated with this email address. If you made this request, please click the link below to securely change your password: https://localhost:8443/InfoRecoverySample/infoRecover/verify?confirmation={confirmation-code}&userstoredomain={userstore-domain}&username={user-name}&tenantdomain={tenant-domain} If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window. If you did not request to have your {user-name} password reset, simply disregard this email and no changes to your account will be made. </body> <footer> Best Regards, WSO2 Carbon Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>The email sent to user includes the
{confirmation-code}, which the Identity Server API caller needs to pass along with the user name.Edit the axis.xml file with the following configuration. This file is found in the
<PRODUCT_HOME>/repository/conf/axis2/directory. Uncomment the following in the file and provide the necessary email settings.<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">sampleemail@gmail.com</parameter> <parameter name="mail.smtp.user">sampleemail</parameter> <parameter name="mail.smtp.password">password</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>
Recovering the password with email notification can be achieved using the exposed UserInformationRecoveryService. The WSDL file for this service can be found in the following URL of your Identity Server installation: https://localhost:9443/services/UserInformationRecoveryService?wsdl.
The service security is implemented using Captcha and confirmation codes expire after a while. This makes the services secure and fails repeated attempts to access the same service. The sequence of calls that the calling application must do is as follows for email-based recovery:
- getCaptcha() - Generates a captcha.
- verifyUser() - Validates the captcha answer and username and returns a new key.
- sendRecoveryNotification() - Send an email notification with a confirmation code to the user. Need to provide the key from previous call.
- getCaptcha() - Generates a captcha when the user clicks on the URL.
- verifyConfirmationCode() - Validates the captcha answer and confirmation code. This returns a key.
- updatePassword() - Updates the password in the system. Need to provide the key from previous call, new password and returns the status of the update, true or false.
The flow of password recovery by email notification is as follows using the WSDL file (https://localhost:9443/services/UserInformationRecoveryService?wsdl). First you need to get the captcha using the getCaptcha() method. The captcha details returned should be passed along with the visible captcha answer and user name to verifyUser() which is for user verification. Upon successful verification, it will return a code. Then you need to call the sendRecoveryNotification() method to send the notification along with the code to the user. The generated email with the password reset link will be emailed to the user. Once the user clicks the reset link, the user should be directed to another captcha page for verification by calling getCaptcha(). The confirmation code must be verified along with the captcha answer by calling verifyConfirmationCode(). This will generate another code that must be passed to the updatePassword() method to update the password.
See Configuring Sample Application For Identity Management for a sample of how this works.
Recovery using challenge questions
The WSO2 Identity Server provides an alternative means of recovering passwords. This is by using challenge questions. Therefore, if users forget their password, they can recover it by answering challenge questions that were set up for their accounts.
Before setting this up, you must configure the required claims for this feature. To do this, do the following.
- Enter your username and password to log on to the Management Console.
- From the Main menu, click List under Claims.
- Click the WSO2 claim dialect (
http://wso2.org/claims). - You must select and configure three claim mappings. These are Challenge Question, Challenge Question1 and Challenge Question2.
The following are the three claims necessary. For each claim URI below, there should be one claim mapping.- http://wso2.org/claims/challengeQuestionUris
- http://wso2.org/claims/challengeQuestion1
- http://wso2.org/claims/challengeQuestion2
- For the mapped attribute, provide any attribute that your underlying user store supports. This example keeps the defaults as they are. The three claims are set as ‘Supported by Default’ so that these attributes will appear in the user’s profile when viewing from the management console.
The following table lists out how these claims are used.Claim URI Description http://wso2.org/claims/challengeQuestionUris This claim holds the claim URIs of the challenge question sets associated with the user’s profile. If the user has challenge question 1 and 2 set, the value will be all the associated claims separated by the ! mark. For example, http://wso2.org/claims/challengeQuestion1!http://wso2.org/claims/challengeQuestion2
http://wso2.org/claims/challengeQuestion1 This claim holds the details of the first challenge question of the user. Here the claim value will contain the question and the answer. The answer is a hashed value and not in plain text. For example, Favorite sport ?!jyf0Mvy6pLUYChzHqPoWapPNo8G85vGZIt1RnQL0uzk=
http://wso2.org/claims/challengeQuestion2 This claim holds the details of the second challenge question of the user. Here the claim value will contain the question and the answer. The answer is a hashed value and not in plain text. For example, Favorite food ?!IJ92QY7OfJNrZf9Hd6V42GD3YsN61sfwj1gmJCGZ71E= Now the required claim mappings for challenge questions feature are set.
The following are three ways to set up challenge questions for users.
Using the end user dashboard
To try this out, first create a user in the Identity Server.
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click Add New User.
- Log out of the Identity Server.
- The URL for accessing dashboard is the following if the hostname is localhost and the Identity Server is running on port 9443: https://localhost:9443/dashboard/. Click this link to access the dashboard and log in using the credentials of the user you just created.
- Click the View Details button under the Account Recovery section in the end user dashboard.
- You can set challenge questions for the user account. There are two sets of challenge questions by default. You can pick one question for each set and give an answer for the question.
- Click Update.
- Log into the Identity Server as an admin.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click User Profile next to the user you created.
- You can see that the challenge question values are set for this user.
Using the UserIdentityManagementAdminService admin service
WSO2 Identity Server provides the UserIdentityManagementAdminService API for identity management related functions of user accounts. See Calling Admin Services for more information on how to call this service. The following are some key points to note when attempting this.
You must set the following property to
falsein the<IS_HOME>/repository/conf/carbon.xmlfile to view the WSDLs of the services.<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
- You can access the WSDL for the service from the following URL:
https://localhost:9443/services/UserIdentityManagementAdminService?wsdl - Using this API, an admin user can set the challenge questions for a user, unlike setting challenge questions using the end user dashboard.
Call the getAllChallengeQuestions method from a SOAP client like SOAP UI and get to know all the available challenge questions. The following is a sample of the SOAP request you must send.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllChallengeQuestions/>
</soapenv:Body>
</soapenv:Envelope>
The following is an example of a SOAP response.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllChallengeQuestionsResponsexmlns:ns="http://services.mgt.identity.carbon.wso2.org" xmlns:ax2308="http://mgt.identity.carbon.wso2.org/xsd" xmlns:ax2310="http://dto.mgt.identity.carbon.wso2.org/xsd">
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>City where you were born ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion1</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Father's middle name ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion1</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Favorite food ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion1</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Favorite vacation location ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion1</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Model of your first car ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion2</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Name of the hospital where you were born ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion2</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Name of your first pet ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion2</ax2310:questionSetId>
</ns:return>
<ns:return xsi:type="ax2310:ChallengeQuestionDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:order>0</ax2310:order>
<ax2310:promoteQuestion>false</ax2310:promoteQuestion>
<ax2310:question>Favorite sport ?</ax2310:question>
<ax2310:questionSetId>http://wso2.org/claims/challengeQuestion2</ax2310:questionSetId>
</ns:return>
</ns:getAllChallengeQuestionsResponse>
</soapenv:Body>
</soapenv:Envelope>
Notice the questionSetId and question elements in the response. From each question set, you can pick one question to be set to the user’s profile as the challenge question. In this example the following two questions are used from set1 and set2.
- http://wso2.org/claims/challengeQuestion1 - Favorite food ?
- http://wso2.org/claims/challengeQuestion2 - Favorite sport ?
Call the setChallengeQuestionsOfUser method to set these two challenge questions for the user. This is an example of the SOAP request you must send.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org" xmlns:xsd="http://dto.mgt.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<ser:setChallengeQuestionsOfUser>
<ser:userName>edirisinghe</ser:userName>
<!--Zero or more repetitions:-->
<ser:challengesDTOs>
<xsd:answer>rice</xsd:answer>
<xsd:id>http://wso2.org/claims/challengeQuestion1</xsd:id>
<xsd:order>0</xsd:order>
<xsd:primary>false</xsd:primary>
<xsd:question>Favorite food ?</xsd:question>
<xsd:verfied>false</xsd:verfied>
</ser:challengesDTOs>
<ser:challengesDTOs>
<xsd:answer>soccer</xsd:answer>
<xsd:id>http://wso2.org/claims/challengeQuestion2</xsd:id>
<xsd:order>1</xsd:order>
<xsd:primary>false</xsd:primary>
<xsd:question>Favorite sport ?</xsd:question>
<xsd:verfied>false</xsd:verfied>
</ser:challengesDTOs>
</ser:setChallengeQuestionsOfUser>
</soapenv:Body>
</soapenv:Envelope>
After you successfully set the challenge questions for the user, you get the following SOAP response.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:setChallengeQuestionsOfUserResponsexmlns:ns="http://services.mgt.identity.carbon.wso2.org">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:setChallengeQuestionsOfUserResponse>
</soapenv:Body>
</soapenv:Envelope>
You can verify that the challenge questions are correctly set by calling the getChallengeQuestionsOfUser method. The following is an example of the SOAP request you must send.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getChallengeQuestionsOfUser>
<ser:userName>edirisinghe</ser:userName>
</ser:getChallengeQuestionsOfUser>
</soapenv:Body>
</soapenv:Envelope>
The following is an example of the SOAP response you receive. Notice the hashed value instead of plain text answer.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getChallengeQuestionsOfUserResponsexmlns:ns="http://services.mgt.identity.carbon.wso2.org" xmlns:ax2308="http://mgt.identity.carbon.wso2.org/xsd" xmlns:ax2310="http://dto.mgt.identity.carbon.wso2.org/xsd">
<ns:return xsi:type="ax2310:UserChallengesDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:answer>IJ92QY7OfJNrZf9Hd6V42GD3YsN61sfwj1gmJCGZ71E=</ax2310:answer>
<ax2310:error xsi:nil="true"/>
<ax2310:id>http://wso2.org/claims/challengeQuestion1</ax2310:id>
<ax2310:key xsi:nil="true"/>
<ax2310:order>0</ax2310:order>
<ax2310:primary>false</ax2310:primary>
<ax2310:question>Favorite food ?</ax2310:question>
<ax2310:verfied>false</ax2310:verfied>
</ns:return>
<ns:return xsi:type="ax2310:UserChallengesDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2310:answer>jyf0Mvy6pLUYChzHqPoWapPNo8G85vGZIt1RnQL0uzk=</ax2310:answer>
<ax2310:error xsi:nil="true"/>
<ax2310:id>http://wso2.org/claims/challengeQuestion2</ax2310:id>
<ax2310:key xsi:nil="true"/>
<ax2310:order>1</ax2310:order>
<ax2310:primary>false</ax2310:primary>
<ax2310:question>Favorite sport ?</ax2310:question>
<ax2310:verfied>false</ax2310:verfied>
</ns:return>
</ns:getChallengeQuestionsOfUserResponse>
</soapenv:Body>
</soapenv:Envelope>
You can also verify this from viewing the user's profile in the management console as well. Do the following to check this.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click User Profile next to the user you created.
- You can see that the challenge question values are set for this user.
Using the RemoteUserStoreManagerService admin service
As the challenge questions and answers for users are stored as claims, you can set the challenge questions of the users by updating the claims of the user using the RemoteUserStoreManagerService API. See Calling Admin Services for more information on how to call this service. Note the following when attempting this.
- You can access the WSDL for the service from the following URL:
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
Call the getUserClaimValues method using the following sample SOAP request to view the challenge question details set for the given user.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>tharindu</ser:userName>
<ser:profileName>default</ser:profileName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
The following is a sample SOAP response. Note that some other claims are removed to improve readability.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getUserClaimValuesResponse xmlns:ns="http://service.ws.um.carbon.wso2.org" xmlns:ax2603="http://api.user.carbon.wso2.org/xsd" xmlns:ax2602="http://core.user.carbon.wso2.org/xsd" xmlns:ax2610="http://tenant.core.user.carbon.wso2.org/xsd" xmlns:ax2608="http://dao.service.ws.um.carbon.wso2.org/xsd" xmlns:ax2606="http://common.mgt.user.carbon.wso2.org/xsd">
<ns:return xsi:type="ax2608:ClaimDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2608:claimUri>http://wso2.org/claims/challengeQuestionUris</ax2608:claimUri>
<ax2608:description xsi:nil="true"/>
<ax2608:dialectURI xsi:nil="true"/>
<ax2608:displayOrder>0</ax2608:displayOrder>
<ax2608:displayTag xsi:nil="true"/>
<ax2608:regEx xsi:nil="true"/>
<ax2608:required>false</ax2608:required>
<ax2608:supportedByDefault>false</ax2608:supportedByDefault> <ax2608:value>http://wso2.org/claims/challengeQuestion1!http://wso2.org/claims/challengeQuestion2</ax2608:value>
</ns:return>
<ns:return xsi:type="ax2608:ClaimDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2608:claimUri>http://wso2.org/claims/challengeQuestion2</ax2608:claimUri>
<ax2608:description xsi:nil="true"/>
<ax2608:dialectURI xsi:nil="true"/>
<ax2608:displayOrder>0</ax2608:displayOrder>
<ax2608:displayTag xsi:nil="true"/>
<ax2608:regEx xsi:nil="true"/>
<ax2608:required>false</ax2608:required>
<ax2608:supportedByDefault>false</ax2608:supportedByDefault>
<ax2608:value>Favorite sport ?!jyf0Mvy6pLUYChzHqPoWapPNo8G85vGZIt1RnQL0uzk=</ax2608:value>
</ns:return>
<ns:return xsi:type="ax2608:ClaimDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2608:claimUri>http://wso2.org/claims/challengeQuestion1</ax2608:claimUri>
<ax2608:description xsi:nil="true"/>
<ax2608:dialectURI xsi:nil="true"/>
<ax2608:displayOrder>0</ax2608:displayOrder>
<ax2608:displayTag xsi:nil="true"/>
<ax2608:regEx xsi:nil="true"/>
<ax2608:required>false</ax2608:required>
<ax2608:supportedByDefault>false</ax2608:supportedByDefault>
<ax2608:value>Favorite food ?!IJ92QY7OfJNrZf9Hd6V42GD3YsN61sfwj1gmJCGZ71E=</ax2608:value>
</ns:return>
</ns:getUserClaimValuesResponse>
</soapenv:Body>
</soapenv:Envelope>
To set challenge questions, call the setUserClaimValues method. The following is a sample SOAP request.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<ser:setUserClaimValues>
<ser:userName>john</ser:userName>
<!--Zero or more repetitions:-->
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/challengeQuestionUris</xsd:claimURI>
<xsd:value>http://wso2.org/claims/challengeQuestion1!http://wso2.org/claims/challengeQuestion2</xsd:value>
</ser:claims>
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/challengeQuestion1</xsd:claimURI>
<xsd:value>Favorite food ?!IJ92QY7OfJNrZf9Hd6V42GD3YsN61sfwj1gmJCGZ71E=</xsd:value>
</ser:claims>
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/challengeQuestion2</xsd:claimURI>
<xsd:value>Favorite sport ?!jyf0Mvy6pLUYChzHqPoWapPNo8G85vGZIt1RnQL0uzk=</xsd:value>
</ser:claims>
<ser:profileName>default</ser:profileName>
</ser:setUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
In this request, the claim values have the following format: Question text ?!EncodedHashOfAnswer
You can obtain the bytes of the string of the plain text answer, get the SHA-256 hash of that and encode to Base64. This way you can obtain the value to be included above. You can use following Java code where value contains the plain text answer.
MessageDigest dgst = MessageDigest.getInstance("SHA-256");
byte[] byteValue = dgst.digest(value.getBytes());
return Base64.encode(byteValue);
Once the claims are updated, you can check them in the management console by viewing the user’s profile. Do the following to check this.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click User Profile next to the user you created.
- You can see that the challenge question values are set for this user.