Invalidating old Reset Password Links in WSO2 Identity Server

Question

I am following this guide to allow the users to reset the password using email. The problem is when the user requests "password reset link" for multiple times, the old links generated are not invalidated. (Password can be reset using either the latest link or old links).

Is there any parameter I can set to invalidate the old links?

Answer 1

There is a property file called identity­-mgt.properties which you can find in the /repository/conf/identity/ directory. In this property file, there is a property called Notification.Expire.Time which you could use to set the confirmation code expire time in munites.

Notification.Expire.Time denotes the expiration time of the confirmation code. Even in a notification recovery scenario a confirmation code is generated. If notification is done via email, the link sent to the user for verification will include the confirmation code. Therefore, once the user clicks that link, the confirmation code will be verified. Thus, you can use this property to validate the link.

Answer 2

Currently, generated confirmation codes will invalidate only once user change his password successfully. So as you have mentioned user will be able to recover his password using any confirmation code he has retrieved. And when user successfully change the password, all the confirmation codes generated before that would be invalidated. This is the default behaviour for now and we don't have a configuration to change that.