Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide more info in response to authentication errors and allow users to update password on mainframe #3081

Open
adam-wolfe opened this issue Aug 29, 2024 · 1 comment
Open

Provide more info in response to authentication errors and allow users to update password on mainframe #3081

adam-wolfe opened this issue Aug 29, 2024 · 1 comment
Labels
enhancement New feature or request priority-low Legit issue but cosmetic or nice-to-have

Comments

@adam-wolfe
Copy link
Contributor

adam-wolfe commented Aug 29, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Currently, if authentication to z/OSMF fails, we ask the user to update their credentials. However, this may not be useful if the password has expired or if the user ID has been revoked.

Describe the solution you'd like

According to https://www.ibm.com/support/pages/apar/PH34912, there is a PTF for z/OS 2.4 that:

...
3. Enhances the Authenticate REST services to
a. Report if a password is expired, or a user ID is revoked.
b. provide a new REST service to change the password.
HTTP method and URI path for change password:
PUT /zosmf/services/authenticate
...

Note: This functionality must be manually enabled in z/OSMF for it to be provided to consumers of the REST API. See zowe/api-layer#2995

Zowe Explorer should make use of this information to 1. let users know that their password has expired and give them the opportunity to change their password using Zowe Explorer; and 2. tell users if the User ID has been revoked so they know to take some other action.

We should determine how to make use of this information in a way that is backwards compatible for users without the PTF installed. We should also determine what information we get back from the Mediation Layer.

Describe alternatives you've considered

Currently, if credentials are rejected, users have to log into TSO to figure out what they need to do.

Additional context

Research is needed to determine what is available for users authenticating to the API ML. I.e., can we determine if the password has expired or if the user ID has been revoked when users attempt to authenticate to the API Mediation Layer?

Interested mainly in reading:

"messageNumber": "ZWEAT412E" -> "The password for the specified identity has expired"
"messageNumber": "ZWEAT414E" -> "Account Suspended"
@adam-wolfe adam-wolfe added the enhancement New feature or request label Aug 29, 2024
@adam-wolfe adam-wolfe changed the title Provide more info in response to z/OSMF authentication errors and allow users to update password on mainframe Provide more info in response to authentication errors and allow users to update password on mainframe Aug 29, 2024
@adam-wolfe
Copy link
Contributor Author

adam-wolfe commented Sep 3, 2024
edited
Loading

Suggest implementing functionality in SDKs/CLI before addressing this in Zowe Explorer. Would also want to update creds in secure storage when updating creds on mainframe.

Security considerations may prevent our ability to access more information on authentication failure.

@adam-wolfe adam-wolfe added the priority-low Legit issue but cosmetic or nice-to-have label Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority-low Legit issue but cosmetic or nice-to-have
Projects
Zowe Explorer for VS Code
Status: Low Priority
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adam-wolfe