Account Lockout

Cantor, Scott cantor.2 at osu.edu
Mon Nov 21 13:53:01 EST 2016


> Right. That’s pretty simple. But there doesn’t seem to be much in the way of
> handling locked accounts. Are you aware of an api to do this?

Sorry, that aspect of your question wasn't clear and I forgot there's nothing documented on that, mainly because the answer is "sort of but not really". I decided against creating a formal API that I'm willing to stand behind, there just wasn't time.

There is a more general workaround that I am not prepared to commit to as an API but as an unofficial one, it's able to do more than just that specific thing, it operates directly on any storage service and can read or delete (not create or update) records. For obvious reasons, that's not official *for this purpose* since it would mean cementing the storage of the data used by that particular lockout implementation.

So it's an unofficial way of using a new official interface to do an unlock.

The API is a REST interface, it's one of the new Administrative flows (the security model of which is documented), at /idp/profile/admin/storage

The REST interface is, roughly:

/idp/profile/admin/storage/nameofstoragebean/context/key

GET and DELETE are supported. The API is designed around the jsonapi.org site's conventions and makes very limited use of it at the moment.

The implementation I provided stores the records under a context with the name of the account lockout manager bean (shibboleth.StorageBackedAccountLockoutManager) and the keys are "username!ipaddress" and I cannot promise that won't change.

I didn't hold the feature because the whole thing is a pluggable interface, so the main point of it was to get the password validators calling the interface at the right times and honoring the outcome. The rest is a matter of programming, and anybody can plug in their own that wouldn't depend on anything but their own choices for storage.

I'll clarify all this in the page, I just hadn't gotten to it (mainly because none of the admin flows have been documented yet).

-- Scott



More information about the users mailing list