Allow users to change their password once it has expired
Summary
========
Allow users to change their own password once it has expired instead of having to contact an administrator.
Motivation
========
Since password expiration was introduced in Keystone, users have to change their password every certain amount of days. If they fail to do so, they have to contact an administrator user to be able to login again. Users should be able to change their password themselves once it has expired in order not to overload administrators and make the whole password expiration process more fluent.
Description
=========
There will be a configuration flag that will be set in the local_settings.py file: ALLOW_USERS_
Should the flag not be set, the user would just be informed that their password has expired, and asked to contact an administrator user. This is the default behavior nowadays.
UX
===
When a user tries to log in with an expired password, prompt them with a password-change form where they may enter their old password and the new one. After this process has been successful, the user may be able to log in with the new, non-expired password.
Outside Dependencies
==================
Collection of the information about the expiration_date from Keystone is required.
Doc Impact
=========
The new setting should be properly documented, as well as added to the release notes.
Blueprint information
- Status:
- Complete
- Approver:
- Rob Cresswell
- Priority:
- High
- Drafter:
- Federico Fernández
- Direction:
- Approved
- Assignee:
- Radomir Dopieralski
- Definition:
- Review
- Series goal:
- Accepted for 16.0.0-train
- Implementation:
- Implemented
- Milestone target:
- train-1
- Started by
- Radomir Dopieralski
- Completed by
- Radomir Dopieralski
Related branches
Related bugs
Sprints
Whiteboard
[robcresswell 2017-01-30]
Are there any work items here? I haven't seen this raised for discussion in the weekly meeting or via email, so I'll close it if there's no further work soon.
[federicofdez 2017-31-01]
Hi! I just thought that I had to wait for the acceptance of the blueprint before moving on to the actual implementation. Should I start with the implementation then?
[robcresswell 2017-02-21]
Can this actually be done via Keystone right now?
[david-lyle 2017-02-21] Marked as blocked as there is no way to currently do this in Keystone. There are active discussions on how this might be accomplished in Keystone, until that's resolved, I don't see how this can progress.
[ying_zuo 2017-09-12] federicofdez, are you still working on this?
[federicofdez 2017-09-13]
Hi! As the blueprint was blocked by david-lyle, I didn't start with the implementation, yet I am willing to implement it as soon as the blueprint is accepted. Is there any progress on that?
[ying_zuo 2017-09-19] I think both Rob and David have concerns about how this can be done and if it's supported by keystone already. Can you provide more implementation details for this feature, for example, the keystone APIs?
Gerrit topic: https:/
Addressed by: https:/
Add a view for changing user password while not logged in
Addressed by: https:/
Automatically redirect to the password change when it's expired
Gerrit topic: https:/
Addressed by: https:/
Documentation and release notes for changing expired passwords