https://www.ory.sh/ logo
Join Slack
Powered by
Good morning (UK Time anyway) - Is there any admin...
# talk-hydra
p
Good morning (UK Time anyway) - Is there any admin function to force a user to change their password at the next login? Without resetting the password for them?
m
I guess it depends how you want to “force” them, in the UI or through an email or by locking them out until they change it? If you do it in the UI, you can probably send them to a settings flow to change the password that they have to complete - depends on your app, but you could probably prevent them from seeing other pages/screens until they POSTed the successful settings/change password flow. I have not implemented this, maybe someone else already has a working solution?
s
The only thing that would work from the Kratos perspective is through recovery.
I assume this is about #kratos 🤔 What is the use case you are trying to solve?
p
Locking them before they change their password
That one. Use case would be us detecting an attack that might have impacted that user. Our users might go weeks/month between login and reseting their password to force a flow is not good user experience
Or their email appearing in a breach report on another site
interestingly, neither AWS cognito or Auth0 offer it built in either, so maybe there is a good reason why we wouldn't want to do this?
m
detecting an attack that might have impacted that user
Do you have something specific in mind already? I think email and password leaks would be good examples, but those wouldn’t be too common (I hope) - we already check against haveibeenpwned upon account creation, you can also run your own instance of it.
p
upon account creation
we are going to monitor new breaches, maybe via 3rd party services, and would want to be able to lock existing users who we think might have been compromised
s
but if there is a risk that the account was compromised, you should invalidate all sessions and force a reset 🤔
p
force a rest
that's the bit we don't like
if I force a reset flow, the user have to act on the email, and if they don't, force them through a forgotten password flow Not (in our opinion) user friendly. We think we prefer locking the potentially compromised acct and force them to reset their password when, and only when they actually intend to access our service
think ecommerce - I only login in once a year, around mothers day. If you email me now to reset my password I probably will never see the email, or not understand why I'm receiving it, or misunderstand and believe the ecommerce site itself was compromised, when it wasn't
m
if I force a reset flow, the user have to act on the email, and if they don’t, force them through a forgotten password flow
Not (in our opinion) user friendly.
We think we prefer locking the potentially compromised acct and force them to reset their password when, and only when they actually intend to access our service
In that case do a normal forgotten password flow but delay the email until they actually access the service
p
delay the email until they actually access the service
haaa... ok, I ned to check that
m
Or rather just complete the flow when they access the service so the email doesnt expire.
I think that could work, let me know 😅
s
I think what you should do is: 1. https://www.ory.sh/docs/reference/api#operation/adminDeleteIdentitySessions 2. Delete the fishy credentials by using https://github.com/ory/kratos/pull/2423 this should basically put the identity into the same state as described here: https://www.ory.sh/docs/kratos/manage-identities/create-users-identities i.e. they should be able to trigger a reset or you trigger one automatically once they try to login
p
Thanks - let me do some reading
2 Views
Open in Slack
PreviousNext
Powered by