I have an API project and a separate project running IdentityServer4. A 3rd party app logins to IdentityServer4 and receives Access Token. Using the token 3rd party app makes calls to API project. Now 3rd party app wants an API resource (api/users/change_password) to have the ability to change password of a user by providing username, current password and new password. How can I update/change user's password from API project?
I would say that something is wrong with the requirement. To get an access token you redirect user to IDP UI
. But to change a password you don't want to do it. Why? Setting password through API isn't secure. It means that 3rd party application
can change user password by its own wish. It's very risky.
In our case, the 3rd party app is also developed by us and we gonna use Resource Owner Password Flow. Our requirement is to keep the user in the single app. User will provide username/password to 3rd party app which will authenticate via IDP without redirecting user to IDP. 3rd party app will make API calls for further services using token. Now user may want to update her password and will simply provide current and new password. 3rd party app will make API call to update user's password.
That's why I asked where user types password. My initial thought was you use resource owner flow. Most likely it's OK to use it for your own application. But you should spend some time adding more security checks like notify user when new login happens etc. Still I wouldn't recommend to change the password through API.
How will it be possible to update password via API which is secured via token. Shall I create user management API resource inside IDP project or shall I make the API to be able to manage users (which defeats the purpose of having IDP to secure API in the first place)?
1.
Why do use IDP at all if you don't want to allow it to manage user's identities?2.
Do you have another applications (your own and/or 3rd party) which use IDP?Yes we have plan to use IDP for other applications (own). Our main objective is to separate authentication from other apps. Most of our clients will use app that we develop for them.