Update Password Process

Content

Overview

This Process defines how an existing, authenticated user adds a new password (or updates their current one).

Process Flow

This table describes the Process functionality at a high level.

Update User Password
Actors Front-end user, Client Application, ULM Cloud.
Pre-Conditions The user is currently authenticated.
Basic Flow 1 The user navigates to their profile or settings menu, and selects to update their password.
  2 ULM prompts the user to enter their current password and new password.
    Notes:
- If the user does not yet have a password, they only need to provide a new one.
- This scenario can occur after a user Onboards into ULM via Social Media (no password is required).
  3 The user enters each password in their respective field, and clicks Change Password.
  4 ULM verifies the old password to authorize the change, and then verifies the new password.
    Notes:
- The Process accepts/rejects a password based on rules under the Password Complexity Rules setting.
- Password complexity rules are configured in the MarketONE ULM Admin web application.
- If either password fails validation, the user has a set number of retries before the Process errors out.
- Depending on the error code returned from ULM, the UI can prompt to recover and reset their password.
  5 ULM hashes and saves the new password in the place of the old password.
    Notes:
- ULM invalidates any and all open sessions, remember me tokens, access tokens, and refresh tokens except for this current session as well as any Relying Party tokens.
Post-Conditions The user has successfully updated their password.
Error Messages Invalid password (for the current password). Please try again.
  The provided password does not match validation rules in terms of length, alphanumeric complexity, or forbidden/common passwords.
  Password cannot be blank.
  User has failed and exceeded the maximum number of retries.

App Settings

Certain aspects of the Process' behaviour are controlled by configurable application settings.

ULM Admin Application Settings Default Settings
Max Failed Input Attempts Maximum number of times the Process rejects bad input (invalid password before ending). 10
Password Complexity Rules Defines the minimum criteria for an acceptable password. Configuration points include:
- Whether or not to require at least one uppercase (A-Z) character
- Whether or not to require at least one lowercase (a-z) character
- Whether or not to require at least one numeric (0-9) character
- The minimum password length		 A-Z: Enabled
a-z: Enabled
0-9: Enabled
Minimum length: 8

All app settings are set in the MarketONE ULM Admin web application. System managers and administrators can consult the ULM Admin User Guide.

Update Password User Journey

This flow diagram illustrates the standard user journey using the Update Password Process.

API Walkthroughs

The following section provides guided walkthroughs of the Update Password Process.

Update Password Scenario

An authenticated user selects to add a new password (or change the existing password).

ULM Cloud enforces restrictions on passwords that are used for security purposes, to ensure a minimum standard of security is met (i.e. password length, use of numbers/special characters). Users are encouraged to choose strong, secure passwords as best practices to secure their IDs.

Initial Request

The Process Start API initializes the Process:

POST /process/start/userManagement.UpdatePassword.v1.0 
<no body>

Response: Prompt User for Passwords

The Process responds with a request to provide both the user's current password and their desired new password:

Response Body 
{
    "processId": "8e32c1b6-f9f2-4cb7-9885-55ba89eeddca",
    "processName": "userManagement.UpdatePassword.v1.0",
    "displayMessage": "Please input required information",
    "parameters": {
        "oldPassword": "String",
        "newPassword": "String"
    },
    "stepName": "PasswordPrompt",
    "lastStep": false
}

Entering the current password acts as proof of the current user's identity (as opposed to another individual attempting to hijack the user's profile).

Response Parameters
Parameter Description
processId Unique identifier for the current instance of this Process.
processName Full name of the Process, including the category and version number.
stepName Name of the specific step that the Process is currently on.
lastStep Boolean that indicates whether or not this was the last step in the Process.
displayMessage Optional message that the UI can display to the end user.
parameters Object that specifies the info this Process requires to continue its task.
  oldPassword The user's current password, used as verification the user themselves are trying to modify their password.
  newPassword The desired new password.

Tip: The Process does not ask the user to provide their new desired password twice. However, as a best practice, UIs developed around ULM Cloud Processes and APIs should implement this logic before passing the new credential to ULM Cloud.

Final Request: Provide New Password

The user provides their old and new credentials, and client passes that info to the Process with the Process Step API:

Request Body 
{
    "processId": "8e32c1b6-f9f2-4cb7-9885-55ba89eeddca",
    "parameters": {
        "oldPassword": "L3tm3inplease",
        "newPassword": "thi5i54Sup3rS3cur3p455w0rd"
    }
}
Request Parameters
Parameter Description
processId Unique identifier for the current instance of this Process.
parameters Object that contains the data that was requested in the previous Process response.
  oldPassword The user's current password, supplied by the user.
  newPassword The desired new password, supplied by the user.

Response: Success

ULM Cloud saves the new password provided, and the Process ends. The user must now use the new password set whenever they are prompted to provide it.

Response Body 
{
    "processId": "8e32c1b6-f9f2-4cb7-9885-55ba89eeddca",
    "processName": "userManagement.UpdatePassword.v1.0",
    "lastStep": true
}
Response Parameters
Parameter Description
processId Unique identifier for the current instance of this Process.
processName Full name of the Process, including the category and version number.
lastStep Boolean that indicates whether or not this was the last step in the Process.

Error Scenario: Invalid Password

If the user provides an invalid new password, the Process responds with a HTTP 400 status code.

The body includes a fieldErrors array with the reason(s) as to what went wrong:

Response Body 
{
    "processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
    "stepName": "PasswordPrompt",
    "lastStep": false,
    "fieldErrors": [
        {
            "field": "credential",
            "code": "NotWeakPassword",
            "rejectedValue": "test",
            "message": "password-regex-rule-violation-.*[0-9].*"
        },
        {
            "field": "credential",
            "code": "NotWeakPassword",
            "rejectedValue": "test",
            "message": "blacklisted-password"
        },
        {
            "field": "credential",
            "code": "NotWeakPassword",
            "rejectedValue": "test",
            "message": "password-regex-rule-violation-.{8,}"
        },
        {
            "field": "credential",
            "code": "NotWeakPassword",
            "rejectedValue": "test",
            "message": "password-regex-rule-violation-.*[A-Z].*"
        }
    ],
    "lastFailedStepAction": {
        "processId": "8e32c1b6-f9f2-4cb7-9885-55ba89eeddca",
        "processName": "userManagement.UpdatePassword.v1.0",
        "stepName": "PasswordPrompt",
        "displayMessage": "Please input required information",
        "parameters": {
            "oldPassword": "String",
            "newPassword": "String"
        }
    }
}

In the above example, the fieldErrors array indicates the following:

  • The password fails to include at least one number (0-9)
  • The password is on an internal list of commonly banned passwords
  • The password fails to meet the minimum length of (8 characters)
  • The password fails to include at least one capital (A-Z)

Reminder: Rules are configured under the Password Complexity Rules setting in the MarketONE ULM Admin UI.

The Process also includes a lastStepFailedAction object that repeats the previous Process step's request. The user can re-attempt their request with a different (ideally stronger) password, and complete their onboarding as normal.

Response Parameters
Parameter Description
processId The unique identifier for the instance of this Process.
stepName The internal name of the step that the Process is currently on / just executed.
lastStep Boolean that indicates whether or not this was the last step in the Process.
fieldError Array of possible error objects. Each object describes a separate error condition.
  field The name of the specific field where the error occurred.
  code An error object's internal code name.
  rejectedValue The actual value that caused the error.
  message Optional message that describes the error.
lastFailedStepAction Object that repeats the previous Process step's details and required input. This allows the client to retry the failed request.

Error Codes

Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.

Common Error Codes

Common Process Error Codes

Process-Specific Error Codes

HTTP Status Format ULM Error Code FieldError Description
400 validation error NotWeakPassword newPassword The password provided did not meet the minimum criteria for a sufficiently complex password.
400 validation error NotEmpty newPassword No password was supplied.
400 operation error user-without-authnid N/A An attempt was made to update the user's password, but they do not have a corresponding authentication identifier (thus rendering a password useless).
400 operation error invalid-credential N/A The user provided an incorrect value as their current password.
400 operation error process-terminated-with-too-many-retries   Process terminated after too many failed user input attempts.

Revision History

Version Description
2020.09 Added this topic.