Implements a proper way to reset password for a OFBiz user (OFBIZ-4361)
Today, there was two proposal into OFBiz Jira : https://issues.apache.org/jira/browse/OFBIZ-4361, this task is to help review and complete these improvements
Idea using JWT :
To remain simple with password update without adding much code into the codebase, we would like to propose a new idea as a first simple step.
service engine to allow the usage of
JWT token to execute a given service as an authenticated user.
The JWT token is generated by OFBiz with its secret and contains into the data payload the allowed
serviceName and the
Given the following usecase :
A user ask for a new password giving his userlogin id.
A mail is sent with a link containing the JWT toke with the
serviceName updatePassword and the
userLoginId into the data payload and a target to an OFBiz no auth required web page described below
The user access through the link to the webpage that present a form containing :
- the JWT in its hidden parameters
- a field asking the new password
- a submit button.
The validation of this form will call the updatePassword service.
Since the user is not authenticated, the
service engine will look into parameters if token exists and will validate it. Else authentication is required...
If a serviceName exists in the data and equals to the called one, other data from the JWT payload are added to the IN attributes.
That will simply allow a basic updatePassword process in trunk, that can be extended easily customizing url target and serviceName for adding verification and so on.