OAuth Authentication Reset Password Workflow Diagram Text Description
-
In a federation where OAuth password reset has been enabled, a user who is logging in on any instance in the federation is redirected to the Universal Login page on the OAuth server.
-
The user enters their credentials.
-
The OAuth server redirects the authentication request to the HealthShare Registry by sending it an AuthenticateAuthorize message. The Registry will handle authentication and then authorization of the user.
-
The Registry invokes the OnAuthenticate callback in the security domain callback class. The security domain callback class is your custom class that extends HS.Registry.Person.User.HSAuth. Because password reset has been enabled, OnAuthenticate should set the boolean return argument pChangePW to indicate whether a password reset is required based on the password policies in your organization.
-
Now the user's credentials are validated:
-
In an internal security domain, the HealthShare user/clinician registry validates the user's credentials and sets pChangePW to 1 if the password is expired based on the Expiration Date setting in the user/clinician registry or if the Force PW Change option is set in the user/clinician registry.
-
In an external security domain, the OnAuthenticate callback designates an external source such as an LDAP server to validate the credentials. The OnAuthenticate callback should set pChangePW to the appropriate value.
-
-
Now that the credentials are validated, the Registry invokes the OnAuthorize callback in the security domain callback class:
-
In an internal security domain, the HealthShare user/clinician registry obtains roles for the login ID.
-
In an external security domain, the external source such as an LDAP server designated by the OnAuthorize callback validates the password.
-
-
The Registry returns the username, roles, and password reset status to the OAuth server in an AuthResponse message.
-
The OAuth server stores the returned values in a local variable.
-
The OAuth server checks the password reset status value:
-
If the password does not require a reset, then the reset password workflow is complete. Processing continues as outlined in the OAuth Workflow diagram at the step where the OAuth server checks whether two-factor authentication is required.
-
If the password is expired or requires a reset, the OAuth server displays the Password Reset page.
-
-
The user enters a new password on the Password Reset page on the OAuth server.
-
The Registry invokes the OnValidatePW callback in the security domain callback class:
-
In an internal security domain, the HealthShare user/clinician registry validates the password.
-
In an external security domain, a designated external source such as an LDAP server validates the password.
-
-
If the password is invalid, the OAuth server displays the error message from the OnValidatePW callback, and the user enters a different password which gets validated by the Registry.
-
Once a valid password has been entered, the user submits the new password on the Password Reset page on the OAuth server.
-
The Registry invokes the OnResetPassword callback in the security domain callback class:
-
In an internal security domain, the HealthShare user/clinician registry resets the password.
-
In an external security domain, a designated external source such as an LDAP server resets the password.
-
-
The user is redirected to the Universal Login page on the OAuth server so that they can log in with their new password, and the workflow begins again.