Enforce Password Reset for Expired Passwords During the Authentication Flow

In this blog post we will look into how to enforce password reset for expired passwords during the authentication flow. This is done by writing a custom connector and engaging it into the authentication flow.

1. Download connector code from https://github.com/facilelogin/aratuwa/tree/master/carbon-security/org.wso2.carbon.identity.policy.password and build the project with Maven, which will result in a org.wso2.carbon.identity.policy.password-1.0.0.jar file inside the target directory.

2. Copy the file org.wso2.carbon.identity.policy.password-1.0.0.jar to [IS_5.1.0]/repository/components/dropins/.

3. Copy https://github.com/facilelogin/aratuwa/blob/master/carbon-security/org.wso2.carbon.identity.policy.password/src/main/resources/pwd-reset.jsp to [IS_5.1.0]/repository/deployment/server/webapps/authenticationendpoint.

4. Edit the file [IS_5.1.0]/repository/conf/identity/identity-mgt.properties and add the following property.


5. Start WSO2 Identity Server.

6. Create a service provider and under the 'Local & Outbound Authentication Configuration' --> 'Advanced Configuration' - define two steps. The first step with the 'basic' local authenticator and the second step with the 'password-reset-enforcer' local authenticator.

7. Once the service provider is created, we also need to create a claim and map that claim to a user store attribute to hold the timestamp of the password reset event.

8. Claims --> Add --> Add New Claim --> Select  http://wso2.org/claims and create a claim with the claim URI http://wso2.org/claims/lastPasswordChangedTimestamp and make it ReadOnly. Also uncheck 'Supported By Default'.
9. That's it. During the authentication flow, if the password is expired, you will be prompted to reset the password.