PCI: A user who's password has expired must ask an admin to reset their password.

Took a closer look at this today. I noticed that there appears to be a "chicken or egg" problem with this. You need a token to be able to change your password, but if your password has expired, then you cannot get a token. If you cannot get a token, then unfortunately, you cannot change your password. I am wondering if the solution for this is either:

- Give an unscoped (or a custom) token if your password has expired, then allow a user to change their password with that unscoped token. A user can already change their password with an unscoped token so this would just involve changing how a user with an expired password is currently handled to allow that user to get an unscoped token, even if their password has expired. Although the current unscoped token may allow an expired password user to be able to do more than we want (other than just changing your password)

- Allow a user to change their password if it has expired without a token. To change you password you already must know your user_id and current (expired) password, so you may not need a token as you can already identify who you are (in theory). This method seems a bit off though due to the removal of security.

- ???

I can see the use case for resetting a password if it has already expired, but I'm still thinking about the lockout case.

When I'm at work, and I've managed to lock myself out of an account because I authenticated too many times within a given timeframe, I have to call someone (a system admin or help desk) to reset my authentication attempts (which it the whole idea behind the design, right?).

I actually don't see this as a bug. If my password expires at work or if I get locked out I have to call the support desk. This is the way we designed it.

Correct lbragstad, this is by design. I don't think of this as a bug. If we want to change this behavior, it feels more like it should be a spec.

Discussed at the (11/22/16) meeting:

- Users should be able to change their password if it expired, but not locked out (too many failed login attempts)
- How to do this? (tokenless auth for the auth request could return the URL for password change if password is expired (regardless of the value of the password))

Fix proposed to branch: master
Review: https://review.openstack.org/404022

The only thing I am concerned about is UX in the case of [1] (
PCI-DSS Force users to immediately change their password upon first use).

If the user does not change their password upon first use, they will need to contact the admin again just after. Is this what we expect ?

[1] https://review.openstack.org/#/c/403916

I was thinking to have first use passwords fall under the same category for this. So if a user authenticates and either:

1) Password is first used
2) Password is expired

then we can return the URL for them to change their password themselves. I currently have a config setting for toggling the expired password self-change, because I have seen it used both ways and then we aren't forcing one way over the other. But I would imagine that we would want a "first use" password to be changed immediately.

Reviewed: https://review.openstack.org/404022
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3ae73b67522bf388a0fdcecceb662831d853a313
Submitter: Jenkins
Branch: master

commit 3ae73b67522bf388a0fdcecceb662831d853a313
Author: Gage Hugo <email address hidden>
Date: Mon Nov 28 23:01:51 2016 -0600

    Allow user to change own expired password

    Currently, if a users password expires, they must contact an
    administrator in order to have their password reset for them.

    This change allows a user to perform the change_password call
    without a token, which will allow a user with an expired password
    to change it if they are using PCI-DSS related features. This
    removes the issue of needing an administrator to reset any
    user's password that has expired.

    Also updated the api-ref with the related changes.

    Change-Id: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
    Closes-Bug: #1641645

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.