IdStory IdM modules » Technical accounts

Current state¶

Backend¶

PasswordChangeController

• main entry point for password changes
• passwordChange(UUID, PasswordChangeDto)
  • hardcoded IdmIdentityDto lookup
  • authenticates, if identity is not authenticated
    • for unauthenticated password change, or mustChange when logging in with expired password
  • Checks permission for password change after authentication
  • Calls identityService.passwordChange(identity, PasswordChangeDto)
    IdmIdentityService
• Publishes IdmIdentityEvent.PASSWORD
  • identity-password-validate-processor(acc)
    • Fetches all identity accounts
    • Validates provided accounts (password change type)
    • Validates against system password policies for each account
  • identity-password-validate-processor(core)
    • Validates all aspects of password change (original pwd requirement, policies, change type)
  • identity-uniform-password-processor
    • Handles uniform password stuff and password filter echo
    • Uses identity only for account searches
  • identity-password-processor
    • saves PasswordDto and handles password age from idm password policy
  • core-identity-demo-change-processor
    • for monitoring changes on admin identity
  • identity-password-provisioning-processor
    • setup echo
    • call provisioningService.changePassword(identity, passwordChangeDto)
    • process results and handle password filter
  • identity-password-change-notification
    • Notifies identity of password change
      ProvisioningService
• Calls provisioning executor changePassword
  • uses dto and PasswordChangeDto as input (no need for identity)

Frontend¶

All of frontend only works with identity and its accounts

PasswordChangeComponent

• Renders form and sends requests to backend controller
• hard coupling on identityManager and identityService
  PasswordChangeRoute
  PasswordRoute
  PasswordChangeForm

Requirements¶

Enable use case of changing account’s password from account detail
Support identity account and Technical accounts
Support accounts without owner (AccAccount)

Proposed changes¶

Backend¶

Introduce a new interface PasswordManageable
Extract common password management logic into common predecessors for all password processors
Move logic from PasswordController somewhere, where it can be generalized for different PasswordManageables
Move event type PASSWORD from IdmIdentityEventType to a new event type, which is not tied to IdmIdentity

• Make all password processors react to this new event
  Update tests and write new ones for tech account password management

Frontend¶

Make PasswordChangeComponent take managers as a prop, so that we can supply correct managers
introduce new routes for password change on account detail

• No need for other tabs such as Password details and Tokens, just change form