[Freeipa-devel] [PATCH] 659-666 Support of password reset with OTP

Thu Jun 26 10:53:56 UTC 2014

On 25.6.2014 19:41, Endi Sukma Dewata wrote:
> On 6/20/2014 10:18 AM, Petr Vobornik wrote:
>> On 11.6.2014 15:19, Petr Vobornik wrote:
>>> Patch set contains both API/server and Web UI parts.
>>>
>>> [PATCH] 659 ldap2: add otp support to modify_password
>>> [PATCH] 660 rpcserver: add otp support to change_password handler
>>> [PATCH] 661 ipa-passwd: add OTP support
>>> [PATCH] 662 webui: support password change with OTP in login screen
>>> [PATCH] 663 webui: placeholder attribute support in textbox and textarea
>>> [PATCH] 664 webui: add placeholders to login screen
>>> [PATCH] 665 webui: rebase user password dialog on password dialog and
>>> add otp support
>>> [PATCH] 666 webui: support otp in reset_password.html
>>>
>>> https://fedorahosted.org/freeipa/ticket/4262
>>
>> attaching rebased patches (mainly because of VERSION conflict)
>
> ACK. Possible improvements (some of which are already discussed on IRC):

pushed to master:
* 7fca783ec554e525465221af13e17f419769c760 ldap2: add otp support to 
modify_password
* 896920ed12a4601a60ac6a7e6f4f13d9ca48df77 rpcserver: add otp support to 
change_password handler
* 2df654223259ca336843f37a229838e125c874d6 ipa-passwd: add OTP support
* f9adc5a5f3ed84ae23c4261f7316ad2e84952d68 webui: support password 
change with OTP in login screen
* 6e7d4ad468854cce8a9a76f3abf8268e3813ff93 webui: placeholder attribute 
support in textbox and textarea
* e3de46767683c5050377cc5e683cd6e3d28ea4e9 webui: add placeholders to 
login screen
* 870db2f677dff01750aeec104c90fce3ca0e54be webui: rebase user password 
dialog on password dialog and add otp support
* 70c77e6a3cfe1a4fbfb5f053a4d47dd2e47d8b3b webui: support otp in 
reset_password.html

I've shamelessly copied all 13 items into new trac ticket 
https://fedorahosted.org/freeipa/ticket/4402 to track these possible 
improvements. We can create separate tickets for issues 8,9,11,12,13 if 
needed.

>
> 1. The "clock interval" field in the Add OTP Token dialog could be
> disabled for HOTP.
>
> 2. The "clock interval" and "counter" fields (and probably some other
> fields too) in the OTP Token details page could be hidden depending on
> the token type.
>
> 3. The Add OTP Token dialog could provide more descriptive token types:
> time-based or counter-based token instead of just TOTP or HOTP.
>
> 4. The OTP Token details page could show the token type (I suppose the
> model may not be descriptive enough).
>
> 5. It would be nice to have a link/button to add OTP Token from the user
> details page with the owner already set to the user.
>
> 6. The "clock interval" should have a unit of measurements (i.e. seconds).
>
> 7. When logging in with an expired password, the user will be asked to
> reset a password and enter an OTP. Although OTP means one-time password,
> some users could be confusing it with the OTP he/she just entered in the
> previous page. It would be nicer to say "New OTP" or add an explanation
> "Wait for a new OTP" to make sure the user enters a new OTP.
>
> 8. In the "User authentication types" field it might be better to say
> "password + OTP" instead of just "otp". The checkbox value can remain
> "otp".
>
> 9. The "User authentication types" is a bit confusing because if none
> are selected it doesn't mean that no authentication is allowed, but it
> means it's unset and it will use the global setting. The UI probably
> should provide a separate radio button to select "Use global setting" or
> show the effective setting next to it.
>
> 10. The "Default user authentication types" in the global setting is a
> bit confusing because by default nothing is selected but the actual
> default is supposedly not empty.
>
> 11. Ideally the password reset page/dialog should indicate whether the
> old password and the OTP are required based on the actual authentication
> type available to the user.
>
> 12. Ideally there should be a way to display the QR code of an existing
> OTP token.
>
> 13. The UI could also provide a link to download the OTP app or a list
> of supported apps.
>
-- 
Petr Vobornik