Openiddict-core: [Question] Adding Password Expiry with Password Flow

Created on 23 Jan 2017  路  3Comments  路  Source: openiddict/openiddict-core

I have an application consisting of a RESTful API and single page JavaScript client, using OpenIddict password flow to authenticate users. The API exposes the /connect/token endpoint, and the JS app captures the user credentials, and uses the endpoint to get a token for authenticating further requests to the back-end.

I would now like to add a feature whereby if a password has not been changed in X number of days, the user is prompted to do so when attempting to log in. In order to achieve this, I think I will need to return a non standard error response code to inform the client of such a case (under OAuth 2.0, invalid_grant should be returned for both invalid/expired credentials).

As the API is private, and will only be consumed by the JS app, perhaps this is an acceptable approach, however it doesn't quite sit right with me. Do you think it is an acceptable solution to modify the response of /connect/token to indicate that the user's password has expired? Is there a better way to achieve this, perhaps replacing connect/token with an entirely custom login endpoint?

question

Most helpful comment

FYI this is considered bad practice and brings no value to security.

All 3 comments

FYI this is considered bad practice and brings no value to security.

Since you're responsible of implementing the authentication part, this is definitely something you can do, in a totally standard way.

That said, I agree with @Bartmax. FWIW, the NIST no longer recommends using password expiration in most cases: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

Thanks for the tips. I will certainly revisit the necessity for password expiry.

I still need the ability to be able to force a user to update their password, however it sounds like I should just create a new login endpoint for this rather than use the standard OAuth access token endpoint.

Was this page helpful?
0 / 5 - 0 ratings