| 245 | | If a user cannot log in - for example their password has expired or they have forgotten it - the application can use the `requestPasswordReset` interface to issue temporary credentials that can be used to set a user's password to a known value. When `requestPasswordReset` is called |
| | 245 | If a user cannot log in - for example their password has expired or they have forgotten it - the application can use the `requestPasswordReset` interface to issue temporary credentials that can be used to set a user's password to a known value. When `requestPasswordReset` is called the credentials are e-mailed to the user's e-mail address. That address is part of their required profile. The application can then gather a password from the user and call the `changePasswordChallenge` operation with the new passowrd and the temporary credentials from the e-mail. To make it easier for browser based applications to incorporate this interaction into their operations, `requestPasswordReset` takes a URL prefix that it can embed in the challenge it sends to the user, allowing the user to click on that URL in the mail to transfer the temporary credentials back to the application. |
| | 246 | |
| | 247 | As an example of using the URL prefix, if a user forgets their password, the application can call `requestPasswordChange` with a URL prefix of `https://myapp.example.com/resetpassword?challenge=`. The user will get an e-mail including the link `https://myapp.example.com/resetpassword?challenge=`''temporary_credentials'' that they can click on. That link will take the user back into the web-based application to a page that collects the new password. The app has the temporary credentials from the URL. |
| | 248 | |
| | 249 | ==== Creating New Users ==== |
| | 250 | |
| | 251 | To create a new account/user instance, an application calls the `createUser` operation from the `Users` [wiki:SPIDocs#Services service]. The application must provide a valid profile, can provide a preferred user ID, and an application URL prefix. |
| | 252 | |
| | 253 | The profile must have all non-optional fields present, and any fields having required formats correctly formatted. The application can get the profile requirements from the [wiki:SPIDocs#Profiles profile service]. Note that all `READ_ONLY` fields are specified at this time - creation is when they are written. |
| | 254 | |
| | 255 | The application can request a user ID if the user requests one. If that ID is already taken, the testbed will pick a similar one. If no ID is specified, a base user ID is generated from the required e-mail address and if '''that''' is taken, a similar one is generated. |
| | 256 | |
| | 257 | The request can also include a URL prefix that works the same way as the URL prefix in the [wiki:SPIDocs#PasswordManagement password reset interface]. The user is created without a valid password, and the same sort of temporary credentials are issued and mailed to the user. A browser-based application can use the URL prefix to redirect the user back to the application to set their initial password. |
| | 258 | |
| | 259 | Once the user is created through this interface, that user has very few rights because it is not a member of an [wiki:SPIDocs#Projects approved project]. It can reset its password and either create a project or attempt to join an existing one. |
| | 260 | |
| | 261 | ==== Administrative Operations ==== |
| | 262 | |
| | 263 | There are a few more operations that are restricted to administrators. |
| | 264 | |
| | 265 | There are [SPIDocs#Profiles profile] operations to add, remove and change attributes to the user profile schema. |
| | 266 | |
| | 267 | There is an operation `sendNotification` to send a system [wiki:SPIDocs#Notifications notification] to users. |
| | 268 | |
| | 269 | There is an operation, `createUserNoConfirm` to create a new user instance with a valid password, without going through an e-mail confirmation to set a password. |
| | 270 | |
| | 271 | These are documented below. |
