You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My first time with an SSO. Found a way to do what I needed, but feeling my set up is inefficient and there are better approaches. Maybe someone could point out the obvious improvements.
I'm planning to use authentic to manage my company employees. My idea was that I'd set up a user account, give login creds to the user and on their first login they would be prompted to change password.
I didn't find a straightforward solution to do that, so I went this way:
Added a user attribute to all new users "mustChangePassword: true"
in default-authentication-flow, after user has been logged in, I added User Write Stage (not sure if this is the correct way to use it, but it seemed least harmful). In this stage I bound an expression policy which checks the "mustChangePassword" attribute and conditionally redirects to password change flow:
if request.user.attributes.get("mustChangePassword", False) == True:
plan = request.context["flow_plan"]
plan.redirect("https://auth.mydomain.com/if/flow/default-password-change/")
return False
In default-password-change Flow I added a Logout stage at the end with an expression policy, which changes user attribute to false:
Additionally, as I understood, the password change flow currently does not have built in comparison of user entered password with their current password. So, I created an expression policy, and added it as a validation policy to default-password-change-prompt Stage in default-password-change Flow. This policy hashes the password and checks with the current hash:
# Get the old password hash from the user
from django.contrib.auth.hashers import check_password
# Access the new password from the prompt stage data
new_password = request.context["prompt_data"].get("password", None)
if new_password and check_password(new_password, request.user.password):
ak_message("New password cannot be the same as the old password.")
return False
# If passwords do not match, allow the change
return True
It sort of works now, but I haven't tested it extensively. There is a slight issue though: if user refreshes the page during the password change flow it would let him in since he has completed the log in flow. The attribute would not change, so on next login it would redirect again.
Can anybody point out what are some of the better approaches to do the above?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
My first time with an SSO. Found a way to do what I needed, but feeling my set up is inefficient and there are better approaches. Maybe someone could point out the obvious improvements.
I'm planning to use authentic to manage my company employees. My idea was that I'd set up a user account, give login creds to the user and on their first login they would be prompted to change password.
I didn't find a straightforward solution to do that, so I went this way:
Added a user attribute to all new users "mustChangePassword: true"
in default-authentication-flow, after user has been logged in, I added User Write Stage (not sure if this is the correct way to use it, but it seemed least harmful). In this stage I bound an expression policy which checks the "mustChangePassword" attribute and conditionally redirects to password change flow:
Additionally, as I understood, the password change flow currently does not have built in comparison of user entered password with their current password. So, I created an expression policy, and added it as a validation policy to default-password-change-prompt Stage in default-password-change Flow. This policy hashes the password and checks with the current hash:
It sort of works now, but I haven't tested it extensively. There is a slight issue though: if user refreshes the page during the password change flow it would let him in since he has completed the log in flow. The attribute would not change, so on next login it would redirect again.
Can anybody point out what are some of the better approaches to do the above?
Beta Was this translation helpful? Give feedback.
All reactions