RapidIdentity Product Guide: New UI

Password Authentication Method

Here is an example response from the server indicating that password authentication is required as the next step:

HTTP/1.1 200 OK 
Content-Type: application/json
{
  "type": "password",
  "id": "931c4a40-2dc9-11e6-937b-005056c00008"
}

Note that the value of the type property is password.

In addition to sending the standard id and type properties with the next request, the only other thing required is a valid password:

POST /idp/ws/rest/authn HTTP/1.1 
Content-Type: application/json 
Accept: application/json
{
  "type": "password",
  "id": "931c4a40-2dc9-11e6-937b-005056c00008",
  "password": "mysecurepassword"
}

If the password provided is correct, then the next authentication step will be returned by the server. If not a password type will be returned with an error property.

Here is an example of a response from the server if the password sent in the request is incorrect:

HTTP/1.1 200 OK 
Content-Type: application/json
{
  "type": "password",
  "id": "931c4a40-2dc9-11e6-937b-005056c00008",
  "error": {
    "type": "simple",
    "message": "Incorrect Username and/or Password"
  }
}

Notice the type of the error is simple. This indicates that the associated message should be displayed to the user and they should be prompted again for a valid password.

Here is an example of the response from the server if the password was correct but the user is required to update their password before continuing:

HTTP/1.1 200 OK
Content-Type: application/json
{
    "type": "password",
    "id": "931c4a40-2dc9-11e6-937b-005056c00008",
    "error": {
        "type": "password-expired",
        "expiredPasswordUrl": "https://customer.rapididentity.com/",
  }
}

Notice the type of the error is password-expired. This indicates that the user must change their password. If expiredPasswordUrl is not included in the response, it indicates that the Expired Password Flow should be executed against the current server URL. If the property is included in the response, the Expired Password Flow should be executed against the server whose URL is provided.

Expired Password Flow

If RapidIdentity detects that a user's password is expired during a login attempt, here are the new APIs to facilitate a successful password change.

Once the user's password is detected as expired, here is the new update password init request:

POST /expiredPassword/init HTTP/1.1
Content-Type: application/json
{
    "userId": "321g4a40-2dd4-11e6-937b-005056c24006",    
    "currentPassword": "mysecurepassword"
}

If the request is successful, the server will respond with the following response, containing a token and the password policy associated with the user:

HTTP/1.1 200 OK
Content-Type: application/json
{
"token":"wsJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.bEkmBEgjf7PivEbXkJjg5PYABZ8DooSUO1jAWTBfY4ZfNWvtxjss1l2k_00WV8Kfuc9XQGVWDgbJe6nYZE5kY95SZ144ioDdS0a7aCeMKS2azFI142iBx5P1vNakYRoVhV7dwCYN7oLHXQBe7fqaYHDbUStCrGzm1rOe4jFTfOHrNIve6x4aLdW3N4M7inTdZK7v3t2_FeCbG9g06A09N75jmJ26uwcQXh7eez9nEnBrzeh7JnGA18UJsYHhpaoqftdMV52NDNIw6os7zM9352R3xEzZErK-mD0Cw42G1zr9zk_dfd0z0RyF5pr9yFVYbY9mga6_vVmBOhTsnFzPIA.4XSwi4xokumtM-w7.3sBpe1XM34pG2CkKl9XUvSLd9y2C7A4I3Nz5PNNw1ZLzGecverVYkh5HKpjH9EI-6Qv4rfovzpqh_rt-JbaBNhqU5jZgA0v4HEQJwJaY8oJ7Q8TI3oiLtqvi-r6kmXKDixSj7BbwQ5kQ2o4S9Wx13O60MtzCH7dvFryRxHYvyblvSUpSXoqKGy5Zljf7nWPLFjq2RYRG6vUHkOE1CfYO2BqoEkTILe7Eqg4sD7BiTilz2u90uGIRafxdC0PUThMfNY6zlGH0LsT9YUDmU4O2pWGz5yzHYNXKRAHRUu-Oz3KQI0FVNXdKEiQl6CWeErOxM8Efin67TKZUVx745ddL-BZGqoyaEmktu71mfRMHXX6sDBQwvQdXeZG3VpHdbqvU9ycavjsEJhnEVFBaTrpu5G-nTiX0yZKRMeIKyIr1PsoGRgqNTfL7W1lGCb68n45UNXIr2sq3eGS8arCIAPzYPszPGDkWzXNy4EF8dMY4py9ml29GLm2QTTW4rEL6d2VU-rebf5JstINVg5s-We-ugyEyBVE-03VjpZRMFkA3jMNbm_kK5UTU0bi7BYb2912wA6Mcc0wCPK_3F1pW2Zljgto1isBOk9--iR5MIuVt91rxfUs7Fzv2-wFrni2aaW1dxgIjmb_rnBlM_mH4USFtC2ueNv-Vz-QQBOm37W0I-KSXBuiDl_qUMRBDE0DKDsgyuAJ2a9dmVF9F5Oqw5wvQEtQttbJfh0RhhB8WX42kK5cNIp96da4kSxvLplPpAh33kv2WGLcjMoxnWGEdjo2e2Riz2IxWg3mMOoAoRM3uCIJUi6Z83SdmmfpCcl2uV_1ztgplmiayLpj6Pa68AxkM7wt7tASH9GcVN92zvFWgKco033RE6jRGWPNXtOhVvgQPaEUI0E4te3_CXhGB2WPmKKPIsBiBWDZFA34cVMQbUSUTfM-PwYBPdAf-.pK1LGDsQ0W12JJZLz_sD3x",
"passwordPolicy": {
    "id": "c61e98ee-204b-405f-a271-d351a8ecf784",        
    "name": "Default Password Policy",
    "description": "[Add a description]",
    "minLength": 3,  
    "maxLength": 255,  
    "charSets": [
        {
            "id": "charset.lower",
            "type": "LOWER",
            "min": 1,
            "max": 0
        },
        {
            "id": "charset.digits", 
            "type": "DIGITS",   
            "min": 1,  
            "max": 0
        },
        {
            "id": "charset.symbols",     
            "type": "SYMBOLS",    
            "min": 1,   
            "max": 0
        },
        {
            "id": "charset.upper",      
            "type": "UPPER",  
            "min": 1,    
            "max": 0
        }
],
    "requiredCharSets": 0,
    "allowRandomPassword": false,
    "matchingAttributesCaseSensitive": false, 
    "matchingAttributesMatchEntire": false,    
    "blackListed": [],  
    "blackListCaseSensitive": false,  
    "blackListMatchEntire": false, 
    "blackListRegexes": [],  
    "defaultForceUserPasswordChange": true
     }
}

The next step will be to test the user's new password against the password policy. An example of that request would be:

POST /expiredPassword/test HTTP/1.1
Content-Type: application/json
{
"token":"wsJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.bEkmBEgjf7PivEbXkJjg5PYABZ8DooSUO1jAWTBfY4ZfNWvtxjss1l2k_00WV8Kfuc9XQGVWDgbJe6nYZE5kY95SZ144ioDdS0a7aCeMKS2azFI142iBx5P1vNakYRoVhV7dwCYN7oLHXQBe7fqaYHDbUStCrGzm1rOe4jFTfOHrNIve6x4aLdW3N4M7inTdZK7v3t2_FeCbG9g06A09N75jmJ26uwcQXh7eez9nEnBrzeh7JnGA18UJsYHhpaoqftdMV52NDNIw6os7zM9352R3xEzZErK-mD0Cw42G1zr9zk_dfd0z0RyF5pr9yFVYbY9mga6_vVmBOhTsnFzPIA.4XSwi4xokumtM-w7.3sBpe1XM34pG2CkKl9XUvSLd9y2C7A4I3Nz5PNNw1ZLzGecverVYkh5HKpjH9EI-6Qv4rfovzpqh_rt-JbaBNhqU5jZgA0v4HEQJwJaY8oJ7Q8TI3oiLtqvi-r6kmXKDixSj7BbwQ5kQ2o4S9Wx13O60MtzCH7dvFryRxHYvyblvSUpSXoqKGy5Zljf7nWPLFjq2RYRG6vUHkOE1CfYO2BqoEkTILe7Eqg4sD7BiTilz2u90uGIRafxdC0PUThMfNY6zlGH0LsT9YUDmU4O2pWGz5yzHYNXKRAHRUu-Oz3KQI0FVNXdKEiQl6CWeErOxM8Efin67TKZUVx745ddL-BZGqoyaEmktu71mfRMHXX6sDBQwvQdXeZG3VpHdbqvU9ycavjsEJhnEVFBaTrpu5G-nTiX0yZKRMeIKyIr1PsoGRgqNTfL7W1lGCb68n45UNXIr2sq3eGS8arCIAPzYPszPGDkWzXNy4EF8dMY4py9ml29GLm2QTTW4rEL6d2VU-rebf5JstINVg5s-We-ugyEyBVE-03VjpZRMFkA3jMNbm_kK5UTU0bi7BYb2912wA6Mcc0wCPK_3F1pW2Zljgto1isBOk9--iR5MIuVt91rxfUs7Fzv2-wFrni2aaW1dxgIjmb_rnBlM_mH4USFtC2ueNv-Vz-QQBOm37W0I-KSXBuiDl_qUMRBDE0DKDsgyuAJ2a9dmVF9F5Oqw5wvQEtQttbJfh0RhhB8WX42kK5cNIp96da4kSxvLplPpAh33kv2WGLcjMoxnWGEdjo2e2Riz2IxWg3mMOoAoRM3uCIJUi6Z83SdmmfpCcl2uV_1ztgplmiayLpj6Pa68AxkM7wt7tASH9GcVN92zvFWgKco033RE6jRGWPNXtOhVvgQPaEUI0E4te3_CXhGB2WPmKKPIsBiBWDZFA34cVMQbUSUTfM-PwYBPdAf-.pK1LGDsQ0W12JJZLz_sD3x",
"newPassword": "mynewsecurepassword"
}

If the request is successful, then the server will respond with the following:

HTTP/1.1 200 OK
Content-Type: application/json
{
    "result": true
}

If an error occurs during the request, there will be a similar response with an added message property that looks like this:

HTTP/1.1 400 Bad Request
Content-Type: application/json
{
    "httpStatusCode": 400,
    "message": "Error message details",
}

The final API is the request to update the user's password. The request body is the exact same as the request to test the user's new password; however, the URL is different.

POST /expiredPassword/updatePassword HTTP/1.1
Content-Type: application/json
{
"token":"wsJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.bEkmBEgjf7PivEbXkJjg5PYABZ8DooSUO1jAWTBfY4ZfNWvtxjss1l2k_00WV8Kfuc9XQGVWDgbJe6nYZE5kY95SZ144ioDdS0a7aCeMKS2azFI142iBx5P1vNakYRoVhV7dwCYN7oLHXQBe7fqaYHDbUStCrGzm1rOe4jFTfOHrNIve6x4aLdW3N4M7inTdZK7v3t2_FeCbG9g06A09N75jmJ26uwcQXh7eez9nEnBrzeh7JnGA18UJsYHhpaoqftdMV52NDNIw6os7zM9352R3xEzZErK-mD0Cw42G1zr9zk_dfd0z0RyF5pr9yFVYbY9mga6_vVmBOhTsnFzPIA.4XSwi4xokumtM-w7.3sBpe1XM34pG2CkKl9XUvSLd9y2C7A4I3Nz5PNNw1ZLzGecverVYkh5HKpjH9EI-6Qv4rfovzpqh_rt-JbaBNhqU5jZgA0v4HEQJwJaY8oJ7Q8TI3oiLtqvi-r6kmXKDixSj7BbwQ5kQ2o4S9Wx13O60MtzCH7dvFryRxHYvyblvSUpSXoqKGy5Zljf7nWPLFjq2RYRG6vUHkOE1CfYO2BqoEkTILe7Eqg4sD7BiTilz2u90uGIRafxdC0PUThMfNY6zlGH0LsT9YUDmU4O2pWGz5yzHYNXKRAHRUu-Oz3KQI0FVNXdKEiQl6CWeErOxM8Efin67TKZUVx745ddL-BZGqoyaEmktu71mfRMHXX6sDBQwvQdXeZG3VpHdbqvU9ycavjsEJhnEVFBaTrpu5G-nTiX0yZKRMeIKyIr1PsoGRgqNTfL7W1lGCb68n45UNXIr2sq3eGS8arCIAPzYPszPGDkWzXNy4EF8dMY4py9ml29GLm2QTTW4rEL6d2VU-rebf5JstINVg5s-We-ugyEyBVE-03VjpZRMFkA3jMNbm_kK5UTU0bi7BYb2912wA6Mcc0wCPK_3F1pW2Zljgto1isBOk9--iR5MIuVt91rxfUs7Fzv2-wFrni2aaW1dxgIjmb_rnBlM_mH4USFtC2ueNv-Vz-QQBOm37W0I-KSXBuiDl_qUMRBDE0DKDsgyuAJ2a9dmVF9F5Oqw5wvQEtQttbJfh0RhhB8WX42kK5cNIp96da4kSxvLplPpAh33kv2WGLcjMoxnWGEdjo2e2Riz2IxWg3mMOoAoRM3uCIJUi6Z83SdmmfpCcl2uV_1ztgplmiayLpj6Pa68AxkM7wt7tASH9GcVN92zvFWgKco033RE6jRGWPNXtOhVvgQPaEUI0E4te3_CXhGB2WPmKKPIsBiBWDZFA34cVMQbUSUTfM-PwYBPdAf-.pK1LGDsQ0W12JJZLz_sD3x",
"newPassword": "mynewsecurepassword"
}

A successful request can have different responses depending on the result of the request. If an alternate action is not enabled, then the response will look like the following:

 HTTP/1.1 200 OK
Content-Type: application/json
{
    "result": true,
}

If there is an alternate action enabled, there will be a message field populated in the response, such as the following:

HTTP/1.1 200 OK
Content-Type: application/json
{
    "result": true,
    "message": "My alternate action message",
}

If there is an error during the update password request or the alternate action fails, the request will be similar to the following. The message property will be different based on the type of error being thrown on the server.

HTTP/1.1 400 Bad Request
Content-Type: application/json
{
    "httpStatusCode": 400,
    "message": "Error message",
}