This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Page Comparison - Recovery with Secret Questions (v.3 vs v.4) - Identity Server 5.0.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. getCaptcha() ­- Generates a captcha.
  2. verifyUser() ­- Validates the captcha answer and username and returns a new key.
  3. getUserChallengeQuestionIds() ­- Retrieve the cliam URI IDs specified for the user with the generated key. Need to provide the key from the previous call.
  4. getUserChallengeQuestion() ­- Retrieve the user’s challenge question for the specified claim URI ID from the previous call. Need to provide the key from the previous call.
  5. verifyUserChallengeAnswer() ­- Validates the answer and confirmation code for the specified question. Need to provide the key from the previous call.
  6. updatePassword() ­- Updates the password in the system. Need to provide the key from the previous call, the new password and return the status of the update, i.e. true or false.

The following flow demonstrates how the password recovery flow should be used for the two challenge questions as follows: 

  • Get the captcha using the getCaptcha()operation and provide the captcha details with the username to the verfiyUser() operation. 
  • You will receive a code with the call. 
  • After the verification, you can get the challenge question IDs using the getUserChallengeQuestionIds() operation, which returns the defined claim URIs along with a code. 
  • Retrieve the question for the user with the getUserChallengeQuestion() operation using the code you received. 
  • You can define two steps to answer the challenge questions in your web application in order to maximize security.  
  • The verifyUserChallengeAnswer() operation is used to verify a particular answer for a question. If both answers are correct, you can call the updatePassword() operation to change the user password.