How to verify current password before a user changes to new password

Owned by Oscar Santolalla
Last updated: 2021-07-29
2 min read


This article is relevant for applications that need to implement password change as an internal functionality, in addition to the password change functionality present in CustomerID self-service pages.


Use case

User is logged into the application and goes to "Change Password" functionality.

The application user interface typically prompts three fields before a "Save" button:

  • Current password
  • New password
  • Confirm new password

For security reasons, the application must verify first that the "current password" the user inputs matches the password that is stored in the data repository.


Solution

The solution requires OAuth 2.0 Password grant.

For reference to documentation: Password grant - SSO


Step 1: Configure OAuth 2.0 Password grant


  1. On SSO Management Console create a new OAuth 2.0 client (application) and call it validate-current-password.
  2. The only allowed grant for this client is password. On "ID and Activation" press Upload and enter:
    {"grant_types":["password"]}



  3. Activate the application, so it will generate a client_id and a client_secret.
  4. Save those values.


Step 2: Call the APIs

To perform a password verification you need to make two API calls:


  1. Call the token endpoint using the client_id, client_secret, enduser username and enduser password. Scope should be set to openid.

    First command to get access token:


    curl -X POST -u "myClientID:clientSecret" -d "grant_type=password&username=jdoe&password=changeit" https://example.com/uas/oauth2/token


    If you get an id_token then the password was correct



  2. Now you should still verify that the subject matches the current user changing the password. If the password is wrong, the token request will fail. Call the introspection endpoint with the command below, specifying client_id, client_secret and the access token received with the previous API call.

    Command to call introspection endpoint:


    curl -X POST -u "myClientID:clientSecret" -d "token=eyJjdHkiOiJKV1QiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiemlwIjoiREVGIiwiaXNzIjoiYjgwNzQ1Y2ItN2U1Yy00MTgzLTk1ZDMtYzZlZTc5YzJlMDE0In0..71HtG8utJIbm57TUk1Gdgg.4jGK2D5lpCiwla5JhSKtecb9yf1ewo9-JH6BL6rZJfav_-9a5d1d1B0HeyLOzk3nY_FU25idDTuFGvMngGDRK3vkQjZsb3AM7KB_t3iGxdvtc-Abdg4tiOwadGEuKZEszjr9lOMwGtR6fCtbU1P4mZifTGoyrhZnw1JhsW-2rswoHGtdoUXYkmx8UOSmdzMPZC41ZY1NZyFQ8Zhb-2OtWqJGuiTWpkpRe5tuoxqjqRD07rBH8lex3gZPmlzKuIxyqPO09I-CxbuTOOGLhWB75bqHD9nUvtu650Svnodp1nAb3aTFinYSH7Ho0w-NwUxE6kJtPwhnF76KDTHWE8-RnA.ngQEpxZfdNPsNLX75P64Kg" https://example.com/uas/oauth2/introspection



    The output of the second call should show you the username and/or email (depending on the authorisation policy configured). With this you have verified that the right user has entered the right current password.


After this is implemented on your application, it will be ready to update any new user's password in the data repository.




Ubisecure Privacy Policy & Cookie Statement