[Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
Endi Sukma Dewata
edewata at redhat.com
Tue Jun 12 23:24:39 UTC 2012
On 6/8/2012 10:52 AM, Petr Vobornik wrote:
> and now the patch...
> On 06/08/2012 05:51 PM, Petr Vobornik wrote:
>> For those of you who are only interest in user perspective I prepared a
>> set of screenshots to demonstrate workflow of password reset:
>> http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png
>>
>> Patch depends on mkosek #274.
>>
>> Web UI was missing a way how to reset expired password for normal user.
>> Recent server patch added API for such task. This patch is adding reset
>> password form to unautorized dialog.
>>
>> If user tries to login using form-based authentication and his password
>> is expired login form transforms to reset password form. The username
>> and current password is populated by values from previous login attempt.
>> User than have to enter new password and its verification. Then he can
>> hit enter button on keyboard or click on reset button on dialog to
>> perform the password reset. Error is displayed if some part of password
>> reset fails. If it is successful new login with values entered for
>> password reset is performed. It should login the user. In password reset
>> form user can click on back button or hit escape on keyboard to go back
>> to login form.
>>
>> https://fedorahosted.org/freeipa/ticket/2755
It works with mkosek 274-2. Some comments:
1. If you click 'form-based authentication' the dialog title still shows
'Kerberos ticket no longer valid' which is not relevant for form-based
authentication. It might be better to use 'Login' as the title for all
pages in this dialog.
2. Instead of having to go to a separate page for form-based
authentication, would it be better to change the first page in the login
dialog to show the login form? Something like this:
Login
-----------------------------------------------------
Your session has expired. Please re-login.
To login with username and password:
Username: [edewata ]
Password: [******** ]
[Login]
To login with Kerberos, please make sure you
have valid tickets (obtainable via kinit) and
[configured] the browser correctly.
[Login with Kerberos]
The two login mechanisms can be shown at the same time like above or in
collapsible sections. If the user enters a password and it's expired,
the dialog will change into:
Login
-----------------------------------------------------
Your password has expired. Please enter a new
password:
Username: edewata
New Password: [******** ]
Verify Password: [******** ]
[Reset Password and Login] [Cancel]
In this page the username is shown for info only, it's not editable. The
old password is not shown again, but kept in memory. I use Cancel
instead of Back to indicate that we are starting over. The Cancel button
will bring you back to the first page.
3. I noticed that the password is kept in memory too long by the login
dialog so if you go back and forth between the pages the fields are
already populated. This might be a security risk. I think the username &
password should be cleaned up when you click Back/Cancel.
4. Is there a plan to provide password reset via email?
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list