Recover password via Challenge Questions¶
WSO2 Identity Server enables resetting user passwords by correctly responding to predefined challenge questions (also known as security questions).
Prerequisites¶
Enable password reset via challenge questions¶
Enable password reset via challenge questions for a specific tenant¶
Follow the steps below to configure WSO2 Identity Server to enable password reset by answering a challenge question.
-
Sign in to the WSO2 Identity Server Management Console (
https://<HOST>:<PORT>/carbon
) as an administrator. -
On the Main tab, click Identity > Identity Provider > Resident.
-
Under the Account Management section, click Account Recovery.
-
Enter the required values as given below:
-
Security question based password recovery: Selected
-
Number of questions required for password recovery:
2
Note
Select Enable reCaptcha for security questions based password recovery and configure the Max failed attempts for reCaptcha to enable reCAPTCHA after maximum number of failed attempts of security questions. See Setting Up reCAPTCHA for more information.
This Max failed attempts for reCaptcha value should be less than the number of failed attempts configured in the account locking connector.
To view the number of failed attempts configured for the account lock feature, expand the Login Attempts Security tab and then expand the Account Lock tab.
-
-
Click Update.
Enable password reset via challenge questions globally¶
-
Navigate to the
<IS_HOME>/repository/conf/deployment.toml
file and add the following configurations.Tip
To avoid any configuration issues, do this before starting the WSO2 Identity Server product instance.
[identity_mgt.password_reset_challenge_questions] enable_password_reset_challenge_questions=true min_required_answers="2"
Note
If you want to enable reCAPTCHA for password recovery via email, you can set
enable_recaptcha
true as a property of[identity_mgt.password_reset_challenge_questions]
in thedeployment.toml
file. See Setting Up reCAPTCHA for more information.enable_recaptcha=true failures_before_recaptcha="2"
-
You have now successfully configured reCAPTCHA for the password recovery flow.
Configure the challenge questions¶
-
Access the WSO2 Identity Server My Account (
https://<HOST>:<PORT>/myaccount
) application. -
Log in with the credentials of the user account that you created.
-
Select the Security tab.
-
Under Account Recovery, click + to add or update security questions.
-
Configure the challenge questions as given below:
- Challenge Question 1:
Name of your first pet?
- Your Answer:
Tommy
- Challenge Question 2:
Favourite food?
- Your Answer:
Pizza
- Challenge Question 1:
-
Click Save.
-
Sign out.
Try it out¶
Recover password using the My Account application¶
-
Access the WSO2 Identity Server My Account (
https://<HOST>:<PORT>/myaccount
) application. -
Click Password.
-
Enter the user name of the newly created user and if multiple recovery options are displayed, select the Recover with Security Questions option.
-
Click Submit.
-
Enter the first challenge question answer as
Tommy
and click Submit. -
Enter the second challenge question answer as
Pizza
and click Submit. -
Enter the new password and click Proceed.
-
Enter the username and new password and click Sign In. The My Account home screen appears.
Recover password using the REST API¶
You can use the following CURL command to recover a password using REST API.
Get challenge question of user
This API is used to initiate password recovery using user challenge questions, one at a time. Response will be a random challenge question with a confirmation key.
Request
curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" "https://localhost:9443/api/identity/recovery/v0.9/security-question?username=[USERNAME]"
Sample Request
curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" "https://localhost:9443/api/identity/recovery/v0.9/security-question?username=kim"
Sample Response
{
"key":"7ced9ef0-7f3f-4f65-a115-ddbcce3a6b49",
"question":{
"question":"Place of birth ?",
"question-set-id":"http://wso2.org/claims/challengeQuestion1"
}
}
Validate user challenge answer/answers
Request
curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"key": "[VALIDATION KEY]","answers": [{ "question-set-id": "http://wso2.org/claims/challengeQuestion1","answer": "[ANSWER]"},{"question-set-id": "http://wso2.org/claims/challengeQuestion2","[ANSWER2]": "car"}],"properties": []}' "https://localhost:9443/api/identity/recovery/v0.9/validate-answer"
Sample Request
curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"key": "0b20bd4d-cd82-4e8f-8ca4-4d265360b56b","answers": [{ "question-set-id": "http://wso2.org/claims/challengeQuestion1","answer": "Sri Lanka"},{"question-set-id": "http://wso2.org/claims/challengeQuestion2","answer": "BMW"}],"properties": []}' "https://localhost:9443/api/identity/recovery/v0.9/validate-answer"
Sample Response
{
"key":"c45d7251-59f1-468d-9844-8a6d7c5fe9d9",
"question":null,
"link":{"rel":"set-password","uri":"/api/identity/recovery/v0.9"}
}
Get challenge questions of user
This API is used to initiate password recovery by answering all the challenge questions at once. The response will have random challenge questions from the ones configured and a confirmation key.
Request
curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" "https://localhost:9443/api/identity/recovery/v0.9/security-questions?username=[USERNAME]"
Sample Request
curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" "https://localhost:9443/api/identity/recovery/v0.9/security-questions?username=kim"
Sample Response
{
"key":"f9f04fd7-3666-4bc6-bc99-9190b04b0ccc",
"questions":[
{"question":"Place of birth?","question-set-id":"http://wso2.org/claims/challengeQuestion1"},
{"question":"Model of your first car?","question-set-id":"http://wso2.org/claims/challengeQuestion2"}
],
"link":{"rel":"validate-answer","uri":"/api/identity/recovery/v0.9"}
}
Update password
This API is used to reset user password using the confirmation key received through the recovery process. Input the key and the new password.
Request
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"key": "[CONFIRMATION KEY]", "password": "[NEW PASSWORD]","properties": []}' "https://localhost:9443/api/identity/recovery/v0.9/set-password"
Sample Request
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"key": "5c765a47-6764-4048-b5cf-55864cb654c0", "password": "Password1!","properties": []}' "https://localhost:9443/api/identity/recovery/v0.9/set-password"
Sample Response
"HTTP/1.1 200 OK"
Manage challenge questions using REST APIs
There are a number of operations related to challenge questions that you can perform using REST APIs. To manage the challenge questions and answers of a user using REST APIs, see Manage Challenge Questions.
Related topics