Identity Patterns with the WSO2 Identity Server
Enforce password reset for expired passwords during the authentication flow

Problem:
  • During the authentication flow, enforce to check whether the end-user password is expired and if so, prompt the user to change the password.
Solution:
  • Configure multi-step authentication for the corresponding service provider. 
  • Engage basic authenticator for the first step, which accepts username/password from the end-user. 
  • Write a handler (a local authenticator) and engage it in the second step, which will check the validity of the user’s password and if it is expired then prompt the user to reset the password. 
  • Sample implementation: http://blog.facilelogin.com/2016/02/enforce-password-reset-for-expired.html 
  • Products: WSO2 Identity Server 5.0.0+