Monday, December 2, 2013

Password Recovery with WSO2 Identity Server

This blog shows the password recovery feature usage in the Wso2 Identity Server 4.5.0. The Identity Server provides email based password recovery as well as secret question based password recovery for the registered users. Currently password recovery only supports for super tenant users. However in the future versions it will support for tenant users as well.

With the Identity Server as a middle ware you can configure it to recover user password securely after registering users with the Identity Server User store. The Identity Server exposes secure APIs which your application can invoke to recover user's password. You can view the available APIs by accessing the following WSDL.


First I will explain how to recover the password using email notifications.

Recover password with email notification

The API methods available through the above WSDL shown below for email notification based password recovery.
1. getCaptcha()
2. verifyUser()
3. sendRecoveryNotification()
4. getCaptcha()
5. verifyConfirmationCode()
6. updatePassword()

The flow of password recovery by email notification is as follows using the above WSDL.
First you need to get the captcha using getCaptcha(). The captcha details returned should be passed along with the visible captcha answer and user name to verifyUser() which is for user verification. Upon successful verification it will return a code. Then you need to call the sendRecoveryNotification() to send the notification along with the code to the user. Then the generated email with the password reset link will be emailed to the user. Upon user clicking the reset link the user should be directed to a another captcha page for verification by calling getCaptcha(). Then it needs to verify the confirmation code along with the captcha answer by calling verifyConfirmationCode(). This will generate another code which needs be passed to the updatePassword() to update the password.
In order to recover the password using email notification following configuration needs to be done.
You need to configure the email sender and here we use the axis transport Sender. Following configureation needs to be done in the axis2.xml file located in the Identity Server installation under <is_home>/repository/conf/axis2 directory. Uncomment the following and give your email details.


Then you need to configure the identity management module properties in file under /repository/conf/security directory. You can give the following configuration for this.

Notification.Expire.Time=3 # expire the recovery after 3 minutes. 

You also can configure the email format and confirmation code urls in the email-admin-config.xml under <is_home>/repository/conf/email directory. For password recovery sending email you need to have a email template type as “passwordReset”. Following shows a sample configuration.

 WSO2 Carbon - Password Reset
 Hi {first-name}

 We received a request to change the password on the {user-name} account
 associated with this e-mail address. If you made this request, please
 click the link below to securely change your password:

 If clicking the link doesn't seem to work, you can copy and paste the
 link into your browser's address window.

 If you did not request to have your {user-name} password reset, simply
 disregard this email and no changes to your account will be made.
Best Regards, WSO2 Carbon Team
In the email template shown above the <targetEpr> tag defines the call back url which handles the users confirmation request. The contents of the tag is used to create the password-reset-link by appending a confirmation code.
You can find the sample from here. You can follow the “I forgot my password” link to see the demo.

Recover password with secret questions

The Identity Server provides another way of recovering the password using secret questions. User is able to select two security questions on the two sets of questions and provide answers using the Account Recovery option under My Identity in the management console as shown below.

Figure 1. Account Recovery menu in management console.

You need to do the same configuration as recover with email notification except the email related configurations.
Also make sure that you have mapped correct attributes for the challenge question attributes under Claim management for and claim URIs.

There are 6 methods defined through the API as follows.

1. getCaptcha()
2. verifyUser()
3. getUserChallengeQuestionIds()
4. getUserChallengeQuestion()
5. verifyUserChallengeAnswer()
6. updatePassword()

Following is how the password recover flow should be used for two challenge questions.

Get the captcha using getCaptcha() and provide the captcha details with user name to verfiyUser(). You will be getting a code with the call. After the verification you can get the challenge question ids using the getUserChallengeQuestionIds() which returns the defined claim URIs along with a code. You need to have this to retrieve the question for the user with the getUserChallengeQuestion(). In your web application you can define two steps to answer the challenge questions to maximize security. The verifyUserChallengeAnswer() is used to verify a particular answer for a question. If both answers are correct you can call the updatePassword() to change the user password.

You can find a sample web app is implemented this feature from here.



  1. Hi,
    I was running your sample on IS500 to recover password with secret questions and I received message "18013 No associated challenge question found for the user" when calling getUserChallengeQuestionIds()
    I checked the the user I am trying to recover and there were two challenge questions, so what could be the cause no associateed challenge question found for the user?

  2. Please check the user you accessed has questions answered. You can access https://:9443/dashboard and login with the user and goto Account recovery and verify the answers.

  3. If you need to stop Gmail from blocking Emails then on your system open Gmail after that open the message and then in the top right corner click “more” from the menu that appears click “Block sender.” If you need more help then ask for it from the Gmail experts.
    Gmail Support Number UK

  4. Right, Your Blog suggestion...
    If you need to sign into Hotmail without outlook then go to the then further select sign in then enter Email address or phone number and then select “next” if you still need more information then ask for it from the experts at Hotmail support number uk. The experts are available 24*7 and the issue can be resolved anytime. +44 800-368-9168  Hotmail Customer Service Number UK

    Contact Now:  Hotmail toll free number UK

  5. The blog content shows it well that the writer has done great research if your Gmail account is troubling you then to fix it visit: Gmail Contact Number UK

  6. Really appreciated!! Writer has knowledge of Gmail related configuration and setup and therefore the information seems reliable. If you also have queries for Gmail then, visit Gmail Support Service Number UK

  7. I really appreciate the efforts of the writer because this post is written very carefully. After reading this post, I got all my answers here and I must say that this post is written by a well-experienced writer.At Netflix Helpline Contact Service UK