Voluntary password change in the authentication flow in the Loginapp REST API

This article describes how to adapt an authentication flow such that the end-user is given the option to change the password within the flow.

Changing the password during the login process can be a useful alternative to using the corresponding protected self-service flow. When the password change is already part of the authentication process it does not require the end-user to find and navigate to the self-service after login.

The following configuration instructions show how to use dynamic step activation to give the end-user (or REST client) the option to activate the Voluntary Password Change step.

The details depend on whether mandatory password change is also part of the authentication flow or not. In the following, both scenarios are described.

VoluntaryPasswordChangeFlow

The voluntary password change self-service may be used after the existing password has been stolen or revealed to non-legitimate persons.

It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.

Prerequisites

  • An authentication flow with a Username Password Authentication Step already exists.

Simple configuration (without mandatory password change)

The simple configuration assumes that there is no Mandatory Password Change step required in the flow.

  • The configuration is therefore straightforward:
  • Add the Voluntary Password Change step to the flow.
  • Make it activatable in a preceding step.
  1. Go to:
    Loginapp >> Authentication Flows >> affected target application >> Authentication Flow
  2. Add the Voluntary Password Change Step for authentication to the flow.
  3. Place the new step after the Username Password Authentication Step in the flow.

    4. Note that when using strong authentication, it is best for security reasons to place the step after the 2nd-factor step.

  4. Configure the Voluntary Password Change Step. In section Flow Control:
    • Select the Step ID voluntary-password-change.
    • Check the Requires Activation option.
  5. The voluntary password change step is now preconfigured. To allow a voluntary password change on the authentication step, the dynamic step activation has to be configured on the Username Password Authentication Step.
  6. Back in the authentication flow, configure the Username Password Authentication Step in section Flow Control:
    • Add a new Dynamic Step Activation element.
    • Assign a voluntary password change step by selecting the step ID voluntary-password-change.
  7. The configuration is now completed and can be activated.

Extended configuration (with mandatory password change)

If a mandatory and voluntary password change step is part of the authentication flow, the configuration is more complicated because we need to ensure that a password change is not required twice in the same flow.

The configuration solution is based on flow selection and flow condition testing for mandatory password change.

  1. Go to:
    Loginapp >> Authentication Flows >> affected target application >> Authentication Flow
  2. Remove the Mandatory Password Change Step from the flow and replace it with a new Selection Step.
  3. Configure the new Selection Step in section Basic Settings. Under Available Options, add a Selection Option with:
    • Name – anything like MANDATORY_PASSWORD_CHANGE.
    • Steps – select the Mandatory Password Change Step from above.
    • Condition – use a Red Flag Raised condition testing for the Mandatory Password Change Red Flag.
  4. Back in the section Basic Settings of the Selection Step, add a Voluntary Password Change Step for authentication as Fallback Flow.
  5. Mandatory and voluntary password changes are now preconfigured. To allow a voluntary password change if no mandatory password change is required, the dynamic step activation has to be configured on the username password authentication step.
  6. Go to the Username Password Authentication Step in the flow.
  7. In the Flow Control section, add a new Dynamic Step Activation element and open it for configuration.
  8. Select the step ID voluntary-password-change to refer to the voluntary password change step.
  9. The configuration is now completed and can be activated.

The Airlock IAM configuration template Demo configuration using the Loginapp REST UI also contains the described flow.

The demo configuration shows how to configure many IAM features – you may want to check it out.