Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with password validation configurations #19044

Closed
janakamarasena opened this issue Jan 21, 2024 · 3 comments
Closed

Issues with password validation configurations #19044

janakamarasena opened this issue Jan 21, 2024 · 3 comments
Assignees
@Thumimku
Labels
7.0.0-migration Component/Migration Docs Fixed/7.0.0 Severity/Critical Type/Docs
Milestone
7.0.0-beta6

Comments

@janakamarasena
Copy link
Member

Describe the issue:
The are two places the password validation can be configured and it is unclear which takes precedence. Password validation can be configured through the configuration available in the console called Password Validation[1] also a password validation regex can be configured through the user-mgt.xml(via deployment.toml) config for the PRIMARY userstore and also when onboarding secondary userstores. It is unclear to which user stores(or globally) the Password Validation configuration in the console applies to.

I could notice while the user-mgt password pattern had a minimum char length as 5 (<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>) the UI had enforced a minimum length of 8.

Screenshot 2024-01-21 at 15 37 27

It should be cleared out what configuration honoured. And if there are unused configurations then references to them should be removed clearing any confusions.

[1] - https://is.docs.wso2.com/en/next/guides/account-configurations/login-security/password-validation/
@janakamarasena janakamarasena added this to the 7.0.0-rc1 milestone Jan 21, 2024
@Thumimku Thumimku self-assigned this Jan 22, 2024
@Thumimku
Copy link
Contributor

Thumimku commented Jan 22, 2024
edited
Loading

Hi @janakamarasena ,

With this feature, we introduced organisation wide password validation mechanism where the admin can configure password validation rules which is common for all userstores.

Regarding the user store wise password validation feature, the xml files and logics were there to preserve backward compatibility for any migrated users. Hence we can't remove the configuration. But we are not promoting for new users. In our IS 7 doc space we don't mention about userstore level password validation.

Regarding the precedence, when the password input validation listener is enabled(current approach) user store level password validation won't work.

Hence, this is not a bug rather than a issue related to documentation for migration.

For migrated users user store level password validation can be provided by following configuration based on my quick research (not tested the flow in console),

Disable input validation listener.

[event.default_listener.validation]
enable = "false"

Enable password policy handler.

[identity_mgt.password_policy.password_policy_validation_handler]
enable=true

@DMHP
Copy link
Contributor

DMHP commented Jan 22, 2024
edited
Loading

  • 1 to add this to migration documents and proceed.

@Thumimku Thumimku mentioned this issue Jan 22, 2024
Open
@Thumimku
Copy link
Contributor

I am closing this issue cause the migration issue tracked with #19068
CC: @DMHP @janakamarasena

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Thumimku Thumimku

Labels
7.0.0-migration Component/Migration Docs Fixed/7.0.0 Severity/Critical Type/Docs
Projects
Identity Server 7.0.0
Status: Done
Milestone
7.0.0-beta6
Development

No branches or pull requests
4 participants
@madurangasiriwardena @janakamarasena @DMHP @Thumimku