[Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog

Wed Jun 13 13:15:29 UTC 2012

I'll address all issues once we decide on the solution.

On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote:
> On 6/8/2012 10:52 AM, Petr Vobornik wrote:
>> and now the patch...
>> On 06/08/2012 05:51 PM, Petr Vobornik wrote:
>>> For those of you who are only interest in user perspective I prepared a
>>> set of screenshots to demonstrate workflow of password reset:
>>> http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png
>>>
>>> Patch depends on mkosek #274.
>>>
>>> Web UI was missing a way how to reset expired password for normal user.
>>> Recent server patch added API for such task. This patch is adding reset
>>> password form to unautorized dialog.
>>>
>>> If user tries to login using form-based authentication and his password
>>> is expired login form transforms to reset password form. The username
>>> and current password is populated by values from previous login attempt.
>>> User than have to enter new password and its verification. Then he can
>>> hit enter button on keyboard or click on reset button on dialog to
>>> perform the password reset. Error is displayed if some part of password
>>> reset fails. If it is successful new login with values entered for
>>> password reset is performed. It should login the user. In password reset
>>> form user can click on back button or hit escape on keyboard to go back
>>> to login form.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2755
>
> It works with mkosek 274-2. Some comments:
>
> 1. If you click 'form-based authentication the dialog title still shows
> 'Kerberos ticket no longer valid' which is not relevant for form-based
> authentication. It might be better to use 'Login' as the title for all
> pages in this dialog.

Agree

>
> 2. Instead of having to go to a separate page for form-based
> authentication, would it be better to change the first page in the login
> dialog to show the login form? Something like this:
>
> Login
> -----------------------------------------------------
>
> Your session has expired. Please re-login.
>
> To login with username and password:
>
> Username: [edewata ]
> Password: [******** ]
>
> [Login]
>
> To login with Kerberos, please make sure you
> have valid tickets (obtainable via kinit) and
> [configured] the browser correctly.
>
> [Login with Kerberos]
>
> The two login mechanisms can be shown at the same time like above or in
> collapsible sections. If the user enters a password and it's expired,
> the dialog will change into:

I like the idea but I'm not sure about the layout. Having one button 
inside the dialog seems strange a also it will probably look weird. 
Collapsible sections are worse because you have to click on them so it 
slow things down. Current implementation has 'forms-based 
authentication' link selected so user can in most cases hit enter and 
immediately write username, password and complete login procedure only 
by using keyboard.

Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). 
So current button: 'retry' is more appropriate.

>
> Login
> -----------------------------------------------------
>
> Your password has expired. Please enter a new
> password:
>
> Username: edewata
> New Password: [******** ]
> Verify Password: [******** ]
>
> [Reset Password and Login] [Cancel]
>
> In this page the username is shown for info only, it's not editable. The
> old password is not shown again, but kept in memory. I use Cancel
> instead of Back to indicate that we are starting over. The Cancel button
> will bring you back to the first page.

Little change, but can be probably more straightforward - will do.

2a. The dialog uses headers in title (the one from #1) and a headers 
inside (login, reset password). From your examples I'm not sure if you 
would like to:
a) remove the inside headers
b) change them to 'login' everywhere
c) keep them unchanged

>
> 3. I noticed that the password is kept in memory too long by the login
> dialog so if you go back and forth between the pages the fields are
> already populated. This might be a security risk. I think the username &
> password should be cleaned up when you click Back/Cancel.

Agree
>
> 4. Is there a plan to provide password reset via email?
>

I don't think so. I'm not sure if it is even useful for Freeipa. One of 
main purposes for Freeipa is SSO and I guess company mail would be 
kerberized too. So if you forget the password, you can't login, reset 
and even access mail. I guess using external mail is not the way to go. 
Maybe it is useful if company uses additional authentication mechanism 
like pin + token or other.

-- 
Petr Vobornik