Introducing AccountState claim to maintain the user account status
Before this improvement, we were maintaining only two states Locked state and Disabled state for a user and not maintaining a PENDING state. With this improvement, we introduce a new state called PENDING state. We are going to introduce a new status claim. This particular improvement is available with IS 5.7.0 (update number 4863), and IS 5.8.0 (update number- 4919) in wum updated packs and in IS 5.9.0-m2 onward
With this fix, In all these three features, Self-registration, email verification and ask password once a confirmation email is sent, the users will be moved to a pending state. With respect to the flow, the status claim will be set. We are going to maintain the state of the users using a claim- accountState. This can take the below values.
All states will be in UPPER_CASE
State Diagram
1. LOCKED— If accountLocked is true and accountDisabled is false
2. PENDING_AP : (Pending_Ask_Password )— Ask password email is sent and it is not verifies
3. PENDING_EV : (Pending_Email_Verification) — Email verification is sent and it is not verified yet
4. PENDING_SR: (Pending_Self_Registration )— Self registration mail is sent and it is not verified yet
5. DISABLED— If accountDisabled is true
6. UNLOCKED — If an accountDisabled claim is false and the accountLocked claim is false
And if the user is in accountState = “pending” state, that means the user’s email is not verified yet. If he is in pending state, the accountLocked email will not be sent.In these PENDING states, once the user verifies the confirmation code sent via email, the user will be moved to unlock state.
In AskPassword flow and EmailVerification flow, we use UserEmailVerificationHandler. In Self-Registration flow, we use SelfUserRegistrationHandler. In these handlers, once the email is sent, we will change the status of the claim. Once the email is verified, we will set the state as UNLOCKED
Adding a new claim
In order to keep track of users’ account state, we have introduced a new identity claim (http://wso2.org/claims/identity/accountState) to store the users’ account state.
This should be a readOnly claim. It cannot be updated by the admin user. For IS 5.7.0 and 5.8.0, we have to add this claim through management console and make that as readOnly. IS 5.9.0-m2 onwards, this claim exists bydefault.
According to the state of “accountLocked” claim and “accountDisabled” claim, the value of the new claim will be changed from the code level. If the someone wants this new feature in 5.7.0 and 5.8.0, then they have to add this new claim. If this particular claim is not existing, self-registration, ask-password and email verification flows will work according to the previous model.
