As an alternative to recovering passwords using Recovery with Notification, the WSO2 Identity Server also supports recovery using secret questions. Follow the instructions below to configure this.
<IS_HOME>/repository/conf/security/identity-mgt.propertiesfile with the following configurations.
See the following table for descriptions of these configurations.
This enables the identity listener.
This enables the email sending function when recovering the account and verifying the user creation.
The time specified here is in minutes. In this case, the recovery expires after three minutes.
This enables the internal email sending module. If
false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.
This enables the user account recovery process.
Set this to
trueif you do not have an existing captcha validation module.
Login to the management console and navigate to Configure>Claim Management>
Ensure that the default challenge question claim URIs, Challenge Question 1 and Challenge Question 2, are mapped with the correct attributes in the underlying data store.
- Invoke the UserIdentityManagementAdminService API and set the challenge question for a user using the setChallengeQuestionsOfUser service. The WSDL for this service is as follows:
The following sequence of service calls for recovery with secret questions, uses the UserInformationRecoveryService:
- getCaptcha() - Generates a captcha.
- verifyUser() - Validates the captcha answer and username and returns a new key.
- getUserChallengeQuestionIds() - Retrieve the cliam URI IDs specified for the user with the generated key. Need to provide the key from the previous call.
- getUserChallengeQuestion() - Retrieve the user’s challenge question for the specified claim URI ID from the previous call. Need to provide the key from the previous call.
- verifyUserChallengeAnswer() - Validates the answer and confirmation code for the specified question. Need to provide the key from the previous call.
- updatePassword() - Updates the password in the system. Need to provide the key from the previous call, the new password and return the status of the update, i.e. true or false.
The password recovery flow should be used for the two challenge questions as follows:
- Get the captcha using the
getCaptcha()operation and provide the captcha details with the username to the
- You will receive a code with the call.
- After the verification, you can get the challenge question IDs using the
getUserChallengeQuestionIds()operation, which returns the defined claim URIs along with a code.
- Retrieve the question for the user with the
getUserChallengeQuestion()operation using the code you received.
- You can define two steps to answer the challenge questions in your web application in order to maximize security.
verifyUserChallengeAnswer()operation is used to verify a particular answer for a question. If both answers are correct, you can call the
updatePassword()operation to change the user password.
Tip: You can see this in action when using this sample web app.