From 3e0910cadf131cc9a9e32a6f310484b87460fe49 Mon Sep 17 00:00:00 2001 From: GitHub Action Bot Date: Fri, 28 Apr 2023 15:45:56 +0000 Subject: [PATCH] Automated commit by github action: 4832382054 --- .../api-specs/idn/v3/paths/set-password.yaml | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/static/api-specs/idn/v3/paths/set-password.yaml b/static/api-specs/idn/v3/paths/set-password.yaml index bb98f6e05..e324f4d49 100644 --- a/static/api-specs/idn/v3/paths/set-password.yaml +++ b/static/api-specs/idn/v3/paths/set-password.yaml @@ -6,9 +6,45 @@ post: description: | This API is used to set a password for an identity. - An identity can change their own password if they use a token generated by their IDN user, such as a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens) or ["authorization_code" derived OAuth token](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow). + An identity can change their own password (as well as any of their accounts' passwords) if they use a token generated by their IDN user, such as a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens) or ["authorization_code" derived OAuth token](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow). - A token with [API authority](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow) can be used to change **any** identity's password. "API authority" refers to a token that only has the "client_credentials" grant type. + A token with [API authority](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow) can be used to change **any** identity's password or the password of any of the identity's accounts. + "API authority" refers to a token that only has the "client_credentials" grant type. + + You can use this endpoint to generate an `encryptedPassword` (RSA encrypted using publicKey. + To do so, follow these steps: + + 1. Use [Query Password Info](https://developer.sailpoint.com/idn/api/v3/query-password-info) to get the following information: `identityId`, `sourceId`, `publicKeyId`, `publicKey`, `accounts`, and `policies`. + + 2. Choose an account from the previous response that you will provide as an `accountName` in your request to set an encrypted password. + + 3. Use [Set Identity's Password](https://developer.sailpoint.com/idn/api/v3/set-password) and provide the information you got from your earlier query. Then add this code to your request to get the encrypted password: + + ```java + import javax.crypto.Cipher; + import java.security.KeyFactory; + import java.security.PublicKey; + import java.security.spec.X509EncodedKeySpec; + import java util.Base64; + + String encrypt(String publicKey, String toEncrypt) throws Exception { + byte[] publicKeyBytes = Base64.getDecoder().decode(publicKey); + byte[] encryptedBytes = encryptRsa(publicKeyBytes, toEncrypt.getBytes("UTF-8")); + return Base64.getEncoder().encodeToString(encryptedBytes); + } + + private byte[] encryptRsa(byte[] publicKeyBytes, byte[] toEncryptBytes) throws Exception { + PublicKey key = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(publicKeyBytes)); + String transformation = "RSA/ECB/PKCS1Padding"; + Cipher cipher = Cipher.getInstance(transformation); + cipher.init(1, key); + return cipher.doFinal(toEncryptBytes); + } + ``` + + In this example, `toEncrypt` refers to the plain text password you are setting and then encrypting, and the `publicKey` refers to the publicKey you got from the first request you sent. + + You can then use [Get Password Change Request Status](https://developer.sailpoint.com/idn/api/v3/get-password-change-status) to check the password change request status. To do so, you must provide the `requestId` from your earlier request to set the password. requestBody: required: true content: