Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password change/reset feature #87

Open
adam-of-barot opened this issue Oct 26, 2023 · 2 comments
Open

Password change/reset feature #87

adam-of-barot opened this issue Oct 26, 2023 · 2 comments

Comments

@adam-of-barot
Copy link

Hi!

Would it be possible to implement a password change/password reset functionality?
While the protocol doesn't mention this feature, the documentation does have a page for it here.

It would be relatively easy to implement a password change page for already logged in users for DjangoAuthUser and SqlAuthUser backends, but i'm not sure about the others.

Would this be still in scope for the project?
@nitmir
Copy link
Owner

nitmir commented Apr 13, 2024

Hello and sorry for the late reply,

I think the reset password is of out of the scope of the project (as a django app) and should definitively be handle by another app or website.

Although maybe make it easier to display a link to a site/app responsible for doing that on the login page would be nice.

I'll consider the change password functionality (and it's not more difficult to do for ldap than for sql). python-ldap3 already support the feature (cf https://ldap3.readthedocs.io/en/latest/microsoft.html) for simple bind to an AD (microsoft or samba alike) and the lib for hashing password for openldap userPassword attribute are already there.

But how do you see the flow for a user changing password ?
Usually, users (at least my users) do not access the CAS directly : they try to access to a website that redirect unauthenticated user to the CAS and then, if the user if not authenticated into the CAS, ask for password, before redirecting the user to the website with an authentication ticket. They do not usually stay on a CAS page while being connected.

I'll guess if we allow user password change we also must enforce some sort of configurable password policy (at least for password strength and maybe for password history ?).

Cheers

@adam-of-barot
Copy link
Author

No problem, thank you for responding!

You are right in that the users don't usually linger on the CAS page itself for long.
I think there could be a separate page that we could link to from the actual website once the user is authenticated.
So the flow would look like this:

  1. User visits site
  2. Gets redirected to CAS login page
  3. Authenticates
  4. Gets redirected back to website
  5. A link is now visible somewhere that links to another page on the CAS server (like /cas/change_password ). That page should only allow logged in users.

As for password policy, there could be a default validator that could be swapped out in the settings if the developer wants to.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nitmir @adam-of-barot