[Openid-specs-risc] RISC Question: Password Reset

Richard Backman, Annabelle richanna at amazon.com
Mon Aug 17 21:57:02 UTC 2020 

Yes, I think if the end user initiated an account recovery process and was required to change their password as part of that process, then two events would apply:

  *   Recovery Activated
  *   Account Credential Change Required

The RISC events generally do not provide much detail about the reason for the action. This was by design: given the use cases we were focused on, we were very concerned about limiting information exposure, providing unambiguous messages, and not implying qualitative judgements about users.

In the broader scope of SSE, taking CAEP use cases into consideration, it may be worth revisiting some of those decisions. I’d much rather see optional contextual attributes added to the Account Credential Change Required than have a proliferation of events for slightly different cases. The latter puts a lot more cognitive load on developers to understand the nuances between cases.

–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/


From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Openid-specs-risc <openid-specs-risc at lists.openid.net>
Reply-To: ALI Asad <asad.ali at thalesgroup.com>
Date: Thursday, August 13, 2020 at 10:25 AM
To: Tim Cappalli <Tim.Cappalli at microsoft.com>
Cc: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: RE: [EXTERNAL] [Openid-specs-risc] RISC Question: Password Reset


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi Tim,
In the SSE context I think the password reset event would fall under account credential change. Unless we want to capture system enforced change vs. voluntary password change (initiated by user), there is no need to have two separate event types.

Let us see what RISC folks say.

Regards,
--- Asad

From: Openid-specs-risc [mailto:openid-specs-risc-bounces at lists.openid.net] On Behalf Of Tim Cappalli via Openid-specs-risc
Sent: Wednesday, August 12, 2020 8:56 AM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] RISC Question: Password Reset

Hey all. Question for the RISC folks.

Looking at the existing event types<https://openid.net/specs/openid-risc-event-types-1_0-ID1.html>, would a password reset event fall under Account Credential Change Required or does this require a new event?

Password change was given as an example.

Account Credential Change Required signals that the account identified by the subject was required to change a credential. For example the user was required to go through a password change.

Thanks
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200817/59a8507f/attachment.html>

More information about the Openid-specs-risc mailing list