Forced password update in WSO2 Identity Server 6.1.0

Question

I'm trying to update password of a user without a recovery method (forced password update as admin). But I was not able to find an API for password update without recovery method.

I found an API in https://is.docs.wso2.com/en/6.1.0/apis/use-the-account-recovery-rest-apis/#/Password%20Recovery/post_set_password. But it requires a key from recovery. Can I update password without recovery key? Is there any alternative for this API?

Answer 1

You can use scim2 REST API Users Endpoint[1] with PUT request[2] or PATCH request[3] to update user's password via admin.

Following is a sample curl command to update user's password using patch request.

curl -k -X PATCH 'https://localhost:9443/scim2/Users/c3715781-a217-4b4c-b949-d433fee2bf32' \
  -H 'Authorization: Basic YWRtaW46YWRtaW4K' \
  -H 'Content-Type: application/json' \
  --data-raw '{"Operations":[{"op":"replace","value":{"password":"test123"}}],"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"]}'

[1]https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint [2]https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/updateUser [3]https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/patchUser

Answer 2

The one you are trying is called "Force Password Reset" by admin. There are several ways that you can do this [1].

• Using the console
• Using SCIM APIs.

You can find both these options in the document [1]. If you want to use the APIs, you can find sample API requests as well.

[1] - https://is.docs.wso2.com/en/latest/guides/password-mgt/forced-password-reset/