Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4594

Nonce timestamp is not stored in User object

    XMLWordPrintable

    Details

      Description

      I'm using the configuration from https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration:
      (password hashing is added)

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- (c) 2011-2018 Evolveum, All rights reserved -->
      <securityPolicy oid="076eabee-332d-11e8-8087-f3c9c7e9809d" 
      	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
      	xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
      	<name>ExAmPLE Security Policy with Password Hashing</name>
      	<credentials>
      		<password>
                  <storageMethod>
                      <storageType>hashing</storageType>
                  </storageMethod>
      			<maxAge>P180D</maxAge>
      			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
      			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
      			<lockoutDuration>PT15M</lockoutDuration>
                  <valuePolicyRef oid="10000000-9999-9999-0000-a000f2000002"/>
      <!--            <historyLength>0</historyLength>-->
      		</password>
      
            <nonce>
               <maxAge>PT2M</maxAge>
               <name>mailNonce</name>
               <valuePolicyRef oid="10000000-9999-9999-0000-a000f2000002"/>
            </nonce>
      
      	</credentials>
      	
      	   <authentication>
            <mailAuthentication>
               <name>confirmationLink</name>
               <displayName>Additional mail authnetication</displayName>
               <mailNonce>mailNonce</mailNonce>
            </mailAuthentication>
         </authentication>
         <credentialsReset>
            <mailReset>
               <name>Reset password using mail</name>
               <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
            </mailReset>
         </credentialsReset>
      	
      	
      </securityPolicy>
      

      Also notification is configured for sending links.

      When password reset button is clicked, nonce is generated, stored in User, link is sent to the user, but I can't see the metadata with timestamp for nonce in User object:

         <credentials>
            <password>
               <lastSuccessfulLogin>
                  <timestamp>2018-04-17T09:15:20.460+02:00</timestamp>
                  <from>192.168.56.1</from>
               </lastSuccessfulLogin>
               <metadata>
                  <createTimestamp>2018-04-17T09:12:51.920+02:00</createTimestamp>
                  <creatorRef oid="00000000-0000-0000-0000-000000000002"
                              relation="org:default"
                              type="c:UserType"><!-- administrator --></creatorRef>
                  <createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</createChannel>
                  <createTaskRef oid="388ed480-1c45-46e5-8878-b6bd1388e13f"
                                 relation="org:default"
                                 type="c:TaskType"><!-- HR Synchronization --></createTaskRef>
                  <modifyTimestamp>2018-04-17T11:13:01.542+02:00</modifyTimestamp>
                  <modifierRef oid="27a0701f-d9cb-4aae-90ba-43c96847c9db"
                               relation="org:default"
                               type="c:UserType"><!-- X000980 --></modifierRef>
                  <modifyChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</modifyChannel>
               </metadata>
               <value>
                  <t:hashedData>
                     <t:digestMethod>
                        <t:algorithm>http://prism.evolveum.com/xml/ns/public/crypto/algorithm/pbkd-3#PBKDF2WithHmacSHA512</t:algorithm>
                        <t:salt>/TApLg==</t:salt>
                        <t:workFactor>10000</t:workFactor>
                     </t:digestMethod>
                     <t:digestValue>aR3WFHkvP+AXNrUreKYeiRBGMvwqr0W6lNfLNAZCq3w=</t:digestValue>
                  </t:hashedData>
               </value>
            </password>
            <nonce>
               <value>
                  <t:encryptedData>
                     <t:encryptionMethod>
                        <t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
                     </t:encryptionMethod>
                     <t:keyInfo>
                        <t:keyName>06fM0eQkb1O4b5Y87oNGWu9c+eo=</t:keyName>
                     </t:keyInfo>
                     <t:cipherData>
                        <t:cipherValue>xfped25kZRuEZVzeXr/vQnIaLZkNMJNQoUBax8Csdtc=</t:cipherValue>
                     </t:cipherData>
                  </t:encryptedData>
               </value>
            </nonce>
         </credentials>
      </user>
      

      How is the time interval (I assume the interval of validity of the nonce) supposed to work?

        Attachments

          Activity

            People

            Assignee:
            vix Ivan Noris
            Reporter:
            vix Ivan Noris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: