Skip to content

Usage

This guide explains how to enforce password reset upon expiry for an application using Password Reset Enforcer.

Prerequisites

  • Set up Password Reset Enforcer in your WSO2 Identity Server installation.

  • Enable and configure password expiry in your organization.

  • On the WSO2 Identity Server Console, go to Login & Registration > Password Validation.

  • Enable Password Expiration.
  • Select the users to whom the password expiry policy should apply using Enforce password expiry for.

Choose the password expiry enforcement scope

When Password Expiration is enabled, the Enforce password expiry for setting controls how password expiry enforcement is applied.

  • All application login flows (default): Applies the password expiry policy to all users during sign-in, regardless of the application they access. For applications with Password Reset Enforcer in the login flow, enforcement is triggered inline at the configured step and the organization-wide enforcement is skipped for those applications.

  • Selected application login flows: Disables organization-wide password expiry enforcement. Enforces password expiry only when users sign in to applications that explicitly include Password Reset Enforcer in the login flow.

    Info

    To enforce password expiry for a specific application, add Password Reset Enforcer as an authentication step in the application's login flow.

    See Configure login flows for instructions.

    Tip

    By default, users are automatically signed in after they reset an expired password.

    To require users to sign in again from the beginning of the login flow, use the passwordResetComplete property in the authentication context of your adaptive script and call the fail() function.

    var onLoginRequest = function(context) {
  executeStep(1, {
    onSuccess: function(context) {
      // Step 2: Password reset enforcer authenticator.
      executeStep(2, {
        onSuccess: function(context) {
          var isPasswordResetComplete = context.passwordResetComplete;
          if (isPasswordResetComplete === true) {
            var parameterMap = {'errorCode': 'password_reset_complete', 'errorMessage': 'Your password has been successfully reset due to expiry.', "errorURI":'https://localhost:9443/authenticationendpoint/retry.do'};
            fail(parameterMap);
          }
        }
      });
    }
  });
};

Add Password Reset Enforcer to an application's login flow

  1. On the WSO2 Identity Server Console, go to Applications.

  2. Select the application.

  3. Go to the Login Flow tab.

  4. Add Password Reset Enforcer as an authentication step.

  5. Click Update to save the changes.

Verify the behavior

  1. Ensure the user account has an expired password based on your configured password expiration rules.

  2. Start a sign-in flow to the application.

  3. Confirm that WSO2 Identity Server redirects the user to the password reset screen before completing authentication.

Note

Password Reset Enforcer supports both redirect-based and app-native authentication flows.