[Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog

Endi Sukma Dewata edewata at redhat.com
Wed Jun 13 17:18:02 UTC 2012 

On 6/13/2012 8:15 AM, Petr Vobornik wrote:
> I'll address all issues once we decide on the solution.
>
>> 1. If you click 'form-based authentication the dialog title still shows
>> 'Kerberos ticket no longer valid' which is not relevant for form-based
>> authentication. It might be better to use 'Login' as the title for all
>> pages in this dialog.
>
> Agree
>
>> 2. Instead of having to go to a separate page for form-based
>> authentication, would it be better to change the first page in the login
>> dialog to show the login form? Something like this:
>>
>> Login
>> -----------------------------------------------------
>>
>> Your session has expired. Please re-login.
>>
>> To login with username and password:
>>
>> Username: [edewata ]
>> Password: [******** ]
>>
>> [Login]
>>
>> To login with Kerberos, please make sure you
>> have valid tickets (obtainable via kinit) and
>> [configured] the browser correctly.
>>
>> [Login with Kerberos]
>>
>> The two login mechanisms can be shown at the same time like above or in
>> collapsible sections. If the user enters a password and it's expired,
>> the dialog will change into:
>
> I like the idea but I'm not sure about the layout. Having one button
> inside the dialog seems strange a also it will probably look weird.

You mean two buttons (Login & Login with Kerberos)? I agree it's kinda 
strange.

> Collapsible sections are worse because you have to click on them so it
> slow things down.

That's also true. I'll leave this up to you. The current workflow still 
makes sense if we consider form-based authentication a less preferred 
method, so you'd have to go to another page to login with username & 
password.

> Current implementation has 'forms-based
> authentication' link selected so user can in most cases hit enter and
> immediately write username, password and complete login procedure only
> by using keyboard.

Hmm... that's not very obvious though. I wouldn't have known that until 
you told me :) I think intuitively people will think that if you hit 
enter it will click the default button in the dialog, unless there's 
input text field.

> Also 'Login with Kerberos' is misleading. User login elsewhere (kinit).
> So current button: 'retry' is more appropriate.

What I meant was 'Login with Kerberos mechanism' or 'Login with Kerberos 
ticket', but it might be too long. I assume people in general isn't 
going to be confused by that because the text also mentions that you'd 
have to get the ticket from kinit.

My concern with 'Retry' is that if you open the UI for the first time 
and you haven't done kinit yet, you'll see a message saying your 
Kerberos ticket has expired and asking you to Retry. This is not quite 
accurate because you never had a ticket before.

The 'expired ticket' and 'retry' message might make more sense if you 
already had the UI open but left it for a while and come back to 
continue. If you just open the UI for the first time I think the message 
should only tell you what you need to do to login, not what went wrong 
in the past.

I'll leave this up to you too. We might be able to keep the current 
workflow, but display different message depending whether it's your 
first visit or return visit.

>> Login
>> -----------------------------------------------------
>>
>> Your password has expired. Please enter a new
>> password:
>>
>> Username: edewata
>> New Password: [******** ]
>> Verify Password: [******** ]
>>
>> [Reset Password and Login] [Cancel]
>>
>> In this page the username is shown for info only, it's not editable. The
>> old password is not shown again, but kept in memory. I use Cancel
>> instead of Back to indicate that we are starting over. The Cancel button
>> will bring you back to the first page.
>
> Little change, but can be probably more straightforward - will do.

If you keep the original workflow, the Cancel button probably should 
bring you to the first page (expired ticket), not to the second page 
(login) because if your password has expired you can't login without 
reset anyway.

> 2a. The dialog uses headers in title (the one from #1) and a headers
> inside (login, reset password). From your examples I'm not sure if you
> would like to:
> a) remove the inside headers
> b) change them to 'login' everywhere
> c) keep them unchanged

I think the inside header is not necessary, it's a duplicate of the 
dialog title. This reset password operation is still part of login 
operation because if you cancel reset you still aren't logged in yet.

>> 3. I noticed that the password is kept in memory too long by the login
>> dialog so if you go back and forth between the pages the fields are
>> already populated. This might be a security risk. I think the username &
>> password should be cleaned up when you click Back/Cancel.
>
> Agree

Also when you complete the login process, it should be cleaned up as well.

>> 4. Is there a plan to provide password reset via email?
>
> I don't think so. I'm not sure if it is even useful for Freeipa. One of
> main purposes for Freeipa is SSO and I guess company mail would be
> kerberized too. So if you forget the password, you can't login, reset
> and even access mail. I guess using external mail is not the way to go.
> Maybe it is useful if company uses additional authentication mechanism
> like pin + token or other.

OK.

-- 
Endi S. Dewata

More information about the Freeipa-devel mailing list