If ASK_PASSWORD Recovery Scenario, Update Thread Local Properties Specifying the Flow is Password Set #823
Conversation
…specifying the flow is password set.
| if (RecoveryScenarios.ASK_PASSWORD.equals(recoveryScenario)) { | ||
| IdentityUtil.threadLocalProperties.get().put(AccountConstants.PASSWORD_SET_FLOW, true); | ||
| } else { | ||
| IdentityUtil.threadLocalProperties.get().put(AccountConstants.PASSWORD_SET_FLOW, false); |
There was a problem hiding this comment.
Can't see any place where clearing the threadlocal properties. (If using thread local need to clear them at a proper place)
Since threadlocal usage is bit unsafe can we go with adding a runtime claim to userClaims list and get it should in the account lock handler?
I hope we can go with a runtime claim which is not actually registered into the claims of the tenant.
There was a problem hiding this comment.
Since user claims are not passed from governance to account lock handler event, it is not possible to add a temporary runtime claim from here. Therefore, the runtime claim should have to be updated and read through the userstore manager. Since this PASSWORD_SET_FLOW relates to a specific user flow (and not the user), if such a user claim is used, another flow (ex: password reset flow) might incorrectly read the said user claim. Therefore, it seems like thread local property solution is the on way to achieve this objective.
Furthermore, the clearance of the introduced thread local property is addressed by 0757aa6, de1c7a9 and 66219ce.
|
The implementation changed and the new implementation can be found with wso2-extensions/identity-event-handler-account-lock#139 |
Proposed changes in this pull request
When should this PR be merged