OpenStack Dashboard (Horizon)

Allow users to change their password once it has expired

Registered by Federico Fernández on 2016-11-30

Summary
========
Allow users to change their own password once it has expired instead of having to contact an administrator.

Motivation
========
Since password expiration was introduced in Keystone, users have to change their password every certain amount of days. If they fail to do so, they have to contact an administrator user to be able to login again. Users should be able to change their password themselves once it has expired in order not to overload administrators and make the whole password expiration process more fluent.

Description
=========
There will be a configuration flag that will be set in the local_settings.py file: ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True. If this flag is set, when a user whose password has expired tries to log in, they will be asked to change their password right from the log in view. After the change has been successful, the user will be able to log in with the new password, without needing to contact any administrator user to perform the password change.
Should the flag not be set, the user would just be informed that their password has expired, and asked to contact an administrator user. This is the default behavior nowadays.

UX
===
When a user tries to log in with an expired password, prompt them with a password-change form where they may enter their old password and the new one. After this process has been successful, the user may be able to log in with the new, non-expired password.

Outside Dependencies
==================
Collection of the information about the expiration_date from Keystone is required.

Doc Impact
=========
The new setting should be properly documented, as well as added to the release notes.

Blueprint information

Status:: Complete

Approver:: Rob Cresswell

Priority:: High

Drafter:: Federico Fernández

Direction:: Approved

Assignee:: Radomir Dopieralski

Definition:: Review

Series goal:: Accepted for 16.0.0-train

Implementation:: Implemented

Milestone target:: train-1

Started by: Radomir Dopieralski on 2019-07-23

Completed by: Radomir Dopieralski on 2021-07-29

Related branches

Related bugs

Sprints

Whiteboard

[robcresswell 2017-01-30]
Are there any work items here? I haven't seen this raised for discussion in the weekly meeting or via email, so I'll close it if there's no further work soon.

[federicofdez 2017-31-01]
Hi! I just thought that I had to wait for the acceptance of the blueprint before moving on to the actual implementation. Should I start with the implementation then?

[robcresswell 2017-02-21]
Can this actually be done via Keystone right now?

[david-lyle 2017-02-21] Marked as blocked as there is no way to currently do this in Keystone. There are active discussions on how this might be accomplished in Keystone, until that's resolved, I don't see how this can progress.

[ying_zuo 2017-09-12] federicofdez, are you still working on this?

[federicofdez 2017-09-13]
Hi! As the blueprint was blocked by david-lyle, I didn't start with the implementation, yet I am willing to implement it as soon as the blueprint is accepted. Is there any progress on that?

[ying_zuo 2017-09-19] I think both Rob and David have concerns about how this can be done and if it's supported by keystone already. Can you provide more implementation details for this feature, for example, the keystone APIs?

Gerrit topic: https://review.opendev.org/#/q/topic:bp/allow-users-change-expired-password

Addressed by: https://review.opendev.org/672289
Add a view for changing user password while not logged in

Addressed by: https://review.opendev.org/672315
Automatically redirect to the password change when it's expired

Gerrit topic: https://review.opendev.org/#/q/topic:change-pass-first-login

Addressed by: https://review.opendev.org/676167
Documentation and release notes for changing expired passwords

(?)