Skip to main content
Version: 8.2411.x.x RR

IdmChangePasswordState

This AuthState is a processing AuthState.

This plug-in provides a password change mechanism for an already authenticated user. It may be used as a next step after the chapter IdmPasswordVerifyState"] to handle a "pwChange" transition:

TopicDescription
Classch.nevis.idm.authstate.IdmChangePasswordState
LoggingIdmAuth
Auditingnone
MarkerNevisIDM:mutation
PropertieslegacyLitDictMode (boolean, true) Defines how the policy info/violations are saved in the notes (see the topic Notes in this table). Note that legacyLitDictMode=true is deprecated.
Methodsauthenticate
Inputuser.password (string, "${inargs:isiwebpasswd}") Old password See topic "Notes" in this table.
user.newPassword1 (string, "${inargs:isiwebnewpw1}"),New password, first input
user.newPassword2 (string, "${inargs:isiwebnewpw2}") New password, second input for verification (optional, but recommended to avoid simple CSRF attacks)
credential.type (CredentialType, -) The state supports changing the user's context passwords as well. In this case, the credential.type parameter must be set to "CONTEXT_PASSWORD".
credential.context (string, -) The state supports changing the user's context passwords as well. To identify which context password credential to use, the credential.context parameter must be set.
Transitionsok: Authentication was successful.
failed: Password verification failed.
policyFailure: The user selected a passphrase that was not accepted by the passphrase policy which is active for this user.
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available.
nowLocked: Last try failed, credential now locked.
lockWarn: Last try to type the correct old password. Next failure will lock it.
locked: The old password credential is locked in nevisIDM.
locked: The old password credential is temporarily locked in nevisIDM.
Outputnone
Errors3: will lock on next failure; 4: PolicyViolation; 5: differing pw input; 8: just locked; 8: locked; 8: temporarily locked
Notes(Output)policyInfo: Only set when legacyLitDictMode=true. Contains all password policy configurations of the password credential as HTML list.
policyViolations: Only set when legacyLitDictMode=true. Contains all password policy violations of the new password as HTML list.
policyInfo.* (all litDict entries matching policyInfo.*): Only set when legacyLitDictMode=false and when initially entering IdmChangePasswordState (state has to set final="false"). One note entry per password policy configuration will be defined.
policyFailure.* (all litDict entries matching policyFailure.*): Only set when legacyLitDictMode=false and if the new password violates any policy. One note entry per violated password policy configuration will be defined.

Example

Config with legacy lit dict mode:

<AuthState name="IdmPasswordChange"
class="ch.nevis.idm.authstate.IdmChangePasswordState" final="false">
<ResultCond name="ok" next="IdmPostProcessing" authLevel="auth.weak" />
<ResultCond name="default" next="IdmPasswordChange"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthUidPwDialog" label="login.pwchange.label">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
<GuiElem name="lastmsg" type="info" label="${notes:policyInfo}"/>
<GuiElem name="fail" type="error" label="${notes:policyViolations}"/>
<GuiElem name="isiwebpasswd" type="pw-text" label="password.label"/>
<GuiElem name="isiwebnewpw1" type="pw-text" label="newpassword.label"/>
<GuiElem name="isiwebnewpw2" type="pw-text" label="newpassword.label"/>
<GuiElem name="submit" type="submit" label="submit.button.label" value="Reset"/>
</Gui>
</Response>
<property name="legacyLitDictMode" value="true"/>
</AuthState>

Config with non-legacy lit dict mode: see the example configuration particle in the nevisAuth distribution.

If the input user.password is not set, this AuthState allows a user to change his password without entering his old password. This is a cross-site request forgery vulnerability. We advise to always set user.password. If you want to omit this, make sure that this is intended behavior. In this case, we recommend enabling the CSRFFilter of nevisProxy.