User password expiration support
User password with limited life span is a requirement in some enterprise environments. This proposal addresses the demand by introducing:
* specific exception and HTTP response ('401 Password expired') in Keystone API;
* storing password TTL param in database and passing 'expired password'-specific exception to the core from SQL identity backend;
* handling 'password expired' error and passing 'expired password'-specific exception to the core from LDAP identity backend.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Oleg S. Gelbukh
- Direction:
- Needs approval
- Assignee:
- Ilya Kharin
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Not started
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
(morganfainberg): This is a larger discussion that needs to be had "how do we make the keystone IDP better". I am marking this as obsolete as we are not planning on extending the SQL identity store at this point - and this will roll into any future fixes that come along with making Keystone's identity store a bit more feature rich.
if a user's password is expired and authentication is denied, what recourse does the user have?
