Allow users to change their password once it has expired

Registered by Federico Fernández

Allow users to change their own password once it has expired instead of having to contact an administrator.

Since password expiration was introduced in Keystone, users have to change their password every certain amount of days. If they fail to do so, they have to contact an administrator user to be able to login again. Users should be able to change their password themselves once it has expired in order not to overload administrators and make the whole password expiration process more fluent.

There will be a configuration flag that will be set in the file: ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True. If this flag is set, when a user whose password has expired tries to log in, they will be asked to change their password right from the log in view. After the change has been successful, the user will be able to log in with the new password, without needing to contact any administrator user to perform the password change.
Should the flag not be set, the user would just be informed that their password has expired, and asked to contact an administrator user. This is the default behavior nowadays.

When a user tries to log in with an expired password, prompt them with a password-change form where they may enter their old password and the new one. After this process has been successful, the user may be able to log in with the new, non-expired password.

Outside Dependencies
Collection of the information about the expiration_date from Keystone is required.

Doc Impact
The new setting should be properly documented, as well as added to the release notes.

Blueprint information

Rob Cresswell
Federico Fernández
Radomir Dopieralski
Series goal:
Accepted for 16.0.0-train
Milestone target:
milestone icon train-1
Started by
Radomir Dopieralski
Completed by
Radomir Dopieralski

Related branches



[robcresswell 2017-01-30]
Are there any work items here? I haven't seen this raised for discussion in the weekly meeting or via email, so I'll close it if there's no further work soon.

[federicofdez 2017-31-01]
Hi! I just thought that I had to wait for the acceptance of the blueprint before moving on to the actual implementation. Should I start with the implementation then?

[robcresswell 2017-02-21]
Can this actually be done via Keystone right now?

[david-lyle 2017-02-21] Marked as blocked as there is no way to currently do this in Keystone. There are active discussions on how this might be accomplished in Keystone, until that's resolved, I don't see how this can progress.

[ying_zuo 2017-09-12] federicofdez, are you still working on this?

[federicofdez 2017-09-13]
Hi! As the blueprint was blocked by david-lyle, I didn't start with the implementation, yet I am willing to implement it as soon as the blueprint is accepted. Is there any progress on that?

[ying_zuo 2017-09-19] I think both Rob and David have concerns about how this can be done and if it's supported by keystone already. Can you provide more implementation details for this feature, for example, the keystone APIs?

Gerrit topic:

Addressed by:
    Add a view for changing user password while not logged in

Addressed by:
    Automatically redirect to the password change when it's expired

Gerrit topic:

Addressed by:
    Documentation and release notes for changing expired passwords


Work Items

This blueprint contains Public information 
Everyone can see this information.