Admin console can send a reset password email to the user. Originally
it just executed update password. I changed this so that it sets an
Update Password required action on the User. The email link click runs
all required actions set for the user, then displays a message that the
Account has been updated.
When I get back, I'm also going to change the admin console behavior and
look too. Instead of a "Reset Password Email" button on Credentials
tab, there will be a button next to the Required Actions selection box
on user detail, something like "Email Required Actions" (I need a
better name). Clicking on this button will send an email to user
"Your adminstrator has requested that you update and/or reset some of
your account settings. Please click the link below to perform these
We do it this way because there may be multiple credentials the admin
wants the user to reset. These credentials may be custom authenticators.
Also I refactored the CONFIG_TOTP, UPDATE_PROFILE, and UPDATE_PASSWORD
required actions. They are now fully encapsulated under the required
actions SPI and are not hardcoded with any special cases. I still need
to refactor verify email. Ran out of time.
Finally, I need to add a check to user-initiated Reset Credentials. I
haven't put back in the cookie check to make sure not to log in the user
if its not the same browser.
JBoss, a division of Red Hat