Skip to main content

OAuth Reset Password Workflow Diagram Text Description

  1. In a federation where OAuth password reset has been enabled, a user who logs in on any instance in the federation is redirected to the Universal Login page on the OAuth server.

  2. The user enters their credentials.

  3. The OAuth server redirects the authentication request to the HealthShare Registry by sending it an AuthenticateAuthorize message. The Registry will handle authentication and then authorization of the user.

  4. The Registry invokes the OnAuthenticate callback in the security domain callback class. The security domain callback class is your custom class that extends HS.Registry.Person.User.HSAuth. Because password reset has been enabled, OnAuthenticate should set the boolean return argument pChangePW to indicate whether a password reset is required based on the password policies in your organization.

  5. Now the user's credentials are validated:

    • In an internal security domain, the HealthShare user/clinician registry validates the user's credentials. It also sets pChangePW to 1 if either of the following are true:

      • The password is expired based on the Expiration Date setting in the user/clinician registry.

      • The Force PW Change option is set in the user/clinician registry.

    • In an external security domain, the OnAuthenticate callback designates an external source such as an LDAP server to validate the credentials. The OnAuthenticate callback should set pChangePW to the appropriate value.

  6. Now that the credentials are validated, the Registry invokes the OnAuthorize callback in the security domain callback class:

    • In an internal security domain, the HealthShare user/clinician registry obtains roles for the login ID.

    • In an external security domain, the external source such as an LDAP server designated by the OnAuthorize callback sets the roles.

  7. The Registry returns the username, roles, and password reset status to the OAuth server in an AuthResponse message.

  8. The OAuth server stores the returned values in a local variable.

  9. The OAuth server checks the password reset status value:

    • If the password does not require a reset, then the reset password workflow is complete. Processing continues as outlined in the Universal Login Page workflow diagram at the step where the OAuth server checks sets the username and roles in a local variable.

    • If the password is expired or requires a reset, the OAuth server displays the Password Reset page.

  10. The user enters a new password on the Password Reset page on the OAuth server.

  11. The Registry invokes the OnValidatePW callback in the security domain callback class at the Registry:

    • In an internal security domain, the HealthShare user/clinician registry validates the password.

    • In an external security domain, a designated external source such as an LDAP server validates the password.

  12. If the password is invalid, the OAuth server displays the error message from the OnValidatePW callback, and the user enters a different password which gets validated at the Registry as in the previous step.

  13. Once a valid password has been entered, the user submits the new password on the Password Reset page on the OAuth server.

  14. The Registry invokes the OnResetPassword callback in the security domain callback class:

    • In an internal security domain, the HealthShare user/clinician registry resets the password.

    • In an external security domain, a designated external source such as an LDAP server resets the password.

  15. The user is redirected to the Universal Login page on the OAuth server so that they can log in with their new password, and the workflow begins again.

FeedbackOpens in a new tab