WSO2 API Manager 4.2.0 - Is it possible to trigger a Forced Password Reset?

Question

Problem

We are using WSO2 API Manager 4.2.0. We would like to create some user accounts from the management console and then later force users to reset their passwords.

We can notify (by manual email) users that their account has been created, that they should log into the developer portal and we can request that they change their own password. However, we would like to understand if it possible to force this password reset (either upon first login to developer portal, or by a password reset email)?

Research

Note: We are using API-M 4.2.0 with Resident key manager (not with WSO2-IS).

The steps to create accounts and set user passwords works. WSO2 API-M - Changing-a-password

There is some WSO2 Identity Server documentation about forcing a password reset. WSO2 IS - invoke-admin-force-password-reset. I can see these settings in our carbon console: Resident Identity Provider >> Account Management >> Password Reset >> 'Enable password reset via recovery e-mail'

However, it is not clear whether the password reset can be invoked (as per above documented steps) with API-M (with only the embedded parts of Identity Server) since the SCIM 2.0 API is not available in API-M.

Question It is possible to force user password resets by email with API-M 4.2.0?

Update 02/08/2023

Followed suggested answer from @Athiththan. Some of the suggested workflow appeared to work (reset email generated) but receive errors when user submits new email from form.

Steps: From Carbon Management console

1. From Claims, selected http://wso2.org/claims
2. Found Force Password Reset, updated the Required and Supported by Default fields as true
3. Confirmed Enable password reset via recovery e-mail option ticked.
4. Selected a user, set Force Password Reset to true.

Testing

1. From email client, received a reset email. Clicked on the link.
2. From browser, entered / confirmed a new password, clicked Proceed button. Redirected to blank page.
3. From carbon log, errors observerd.

TID: [-1234] [api/identity/recovery/v0.9] [2023-08-02 13:54:32,532] ERROR {org.wso2.carbon.identity.recovery.endpoint.impl.SetPasswordApiServiceImpl} - Error occurred in the server while performing the task. java.util.regex.PatternSyntaxException: Illegal character range near index 13
[https://new-hostname.company.com:9443].*[/authenticationendpoint/login.do]*

Note: URL obscured. However, does start with new-

Errors in carbon log, continued (full stack traces removed).

TID: [-1234] [accountrecoveryendpoint] [2023-08-02 13:54:32,793] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/accountrecoveryendpoint].[completepasswordreset.do]} - Servlet.service() for servlet [completepasswordreset.do] in context with path [/accountrecoveryendpoint] threw exception [An exception occurred processing [error.jsp] at line [57]

54:         File headerFile = new File(getServletContext().getRealPath("extensions/header.jsp"));
55:         if (headerFile.exists()) {
56:     %>
57:     <jsp:include page="extensions/header.jsp"/>
58:     <% } else { %>
59:     <jsp:include page="includes/header.jsp"/>
60:     <% } %>

TID: [-1234] [accountrecoveryendpoint] [2023-08-02 13:54:32,794] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/accountrecoveryendpoint].[jsp]} - Servlet.service() for servlet [jsp] threw exception java.lang.NullPointerException: Cannot invoke "String.split(String)" because "decodedValue" is null
        at org.apache.jsp.extensions.header_jsp._jspService(header_jsp.java:155)

TID: [-1234] [accountrecoveryendpoint] [2023-08-02 13:54:32,794] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost]} - Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] org.apache.jasper.JasperException: An exception occurred processing [/extensions/header.jsp] at line [40]

37:       if (cb != null) {
38:           URI uri = new URI(cb);
39:           String decodedValue = uri.getQuery();
40:           String[] params = decodedValue.split("&");
41:           for (String param : params) {
42:               if (param.startsWith("tenantDomain=")) {
43:                   String[] keyVal = param.split("=");

Caused by: org.apache.jasper.JasperException: An exception occurred processing [/extensions/header.jsp] at line [40]

37:       if (cb != null) {
38:           URI uri = new URI(cb);
39:           String decodedValue = uri.getQuery();
40:           String[] params = decodedValue.split("&");
41:           for (String param : params) {
42:               if (param.startsWith("tenantDomain=")) {
43:                   String[] keyVal = param.split("=");
Caused by: java.lang.NullPointerException: Cannot invoke "String.split(String)" because "decodedValue" is null ```

Answer 1

To perform Force Password Reset, it is recommended to use the WSO2 Identity Server along with the WSO2 API Manager. However, we can achieve a similar approach with the following by only using the WSO2 API Manager

1. Go to the Carbon Management console of the WSO2 API Manager and log in using the Admin credentials
2. Go to Claims > List and select the http://wso2.org/claims from the list
3. Search for Force Password Reset from the list and expand the tile
4. Click on Edit, and update the Required field as true and the Supported by Default field as true as well
5. Navigate to Identity Providers > Resident and expand the Account Management > Password Reset and enable the Enable password reset via recovery e-mail option and click on Update
6. Now, let's navigate to the Users and Roles > Users and select the User that you want to force password reset and click on User Profile
7. You will see a field named Force Password Reset; Enable that to send an email notification to the respective User to reset the password

Please make sure that you have configured the SMTP configurations in the WSO2 API Manager to prompt and send the email to the user to reset the password. You can refer to the WSO2 IS Doc to configure the Email Sender in WSO2 API Manager.