[SOLVED] WSO2 - Identity server 6.1.0 - Force user to change his password on first login

WSO2 - Identity server 6.1.0 - Force user to change his password on first login

Is it possible using Identity server 6.1.0 to force the user to change his password on first login ?

I did not find anything in the documentation, but in this case should we use reset password feature to simulate this scenario?

Solution

Introduce a custom user claim to manage the number of successful login attempts. Map it to a scim claim as well. (https://is.docs.wso2.com/en/latest/references/extend/provisioning/extend-scim2-user-schemas/#add-the-custom-claim)
Write an event handler subscribing to POST_AUTHENTICATION event (https://is.docs.wso2.com/en/latest/references/extend/user-mgt/write-a-custom-event-handler/#write-an-event-handler). That event handler should update the custom claim you introduced in step 1, when a user authenticates successfully.
After the user authentication retrieve the authenticated user's successful login attempt count (scim2/Me endpoint can be used, otherwise if your application is an oauth/oidc app you can get the details using ID token as well).
If the successful login attempt count is 1, provide password reset UI(from your application) and based on the input received, invoke PATCH /scim2/Me endpoint to update the password.

curl --location --request PATCH 'https://localhost:9443/scim2/Me' \
--header 'Authorization: Beaer <token obtained by authenticated user>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Operations": [
        {
            "op": "replace",
            "value": {
                "password": "newpassword"
            }
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}'

Further, you might need to maintain a claim to update whether user reset the password succesfully from first login. Otherwise, user could be able to by pass the pssword reset