django-cas-server icon indicating copy to clipboard operation
django-cas-server copied to clipboard

Published 20 hours ago verified publisher icon nitmir

Password change/reset feature

Open adam-of-barot opened this issue 2 years ago • 2 comments

Hi!

Would it be possible to implement a password change/password reset functionality? While the protocol doesn't mention this feature, the documentation does have a page for it here.

It would be relatively easy to implement a password change page for already logged in users for DjangoAuthUser and SqlAuthUser backends, but i'm not sure about the others.

Would this be still in scope for the project?

adam-of-barot avatar Oct 26 '23 09:10 adam-of-barot

Hello and sorry for the late reply,

I think the reset password is of out of the scope of the project (as a django app) and should definitively be handle by another app or website.

Although maybe make it easier to display a link to a site/app responsible for doing that on the login page would be nice.

I'll consider the change password functionality (and it's not more difficult to do for ldap than for sql). python-ldap3 already support the feature (cf https://ldap3.readthedocs.io/en/latest/microsoft.html) for simple bind to an AD (microsoft or samba alike) and the lib for hashing password for openldap userPassword attribute are already there.

But how do you see the flow for a user changing password ? Usually, users (at least my users) do not access the CAS directly : they try to access to a website that redirect unauthenticated user to the CAS and then, if the user if not authenticated into the CAS, ask for password, before redirecting the user to the website with an authentication ticket. They do not usually stay on a CAS page while being connected.

I'll guess if we allow user password change we also must enforce some sort of configurable password policy (at least for password strength and maybe for password history ?).

Cheers

nitmir avatar Apr 13 '24 14:04 nitmir

No problem, thank you for responding!

You are right in that the users don't usually linger on the CAS page itself for long. I think there could be a separate page that we could link to from the actual website once the user is authenticated. So the flow would look like this:

  1. User visits site
  2. Gets redirected to CAS login page
  3. Authenticates
  4. Gets redirected back to website
  5. A link is now visible somewhere that links to another page on the CAS server (like /cas/change_password ). That page should only allow logged in users.

As for password policy, there could be a default validator that could be swapped out in the settings if the developer wants to.

Thank you!

adam-of-barot avatar Apr 29 '24 19:04 adam-of-barot