User password expiration support

Registered by Oleg S. Gelbukh on 2012-12-06

User password with limited life span is a requirement in some enterprise environments. This proposal addresses the demand by introducing:
* specific exception and HTTP response ('401 Password expired') in Keystone API;
* storing password TTL param in database and passing 'expired password'-specific exception to the core from SQL identity backend;
* handling 'password expired' error and passing 'expired password'-specific exception to the core from LDAP identity backend.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Oleg S. Gelbukh
Direction:
Needs approval
Assignee:
Ilya Kharin
Definition:
Obsolete
Series goal:
None
Implementation:
Not started
Milestone target:
None
Completed by
Morgan Fainberg on 2014-10-20

Related branches

Sprints

Whiteboard

(morganfainberg): This is a larger discussion that needs to be had "how do we make the keystone IDP better". I am marking this as obsolete as we are not planning on extending the SQL identity store at this point - and this will roll into any future fixes that come along with making Keystone's identity store a bit more feature rich.

if a user's password is expired and authentication is denied, what recourse does the user have?

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.