<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Gustavo,<br>
<br>
Yes, this is a correct approach. I'm am slightly concerned about the
step 2, though. If the user has the ability to read it's own object
("self") then that step should work. But I'm not sure if we have
tested this. But I'm sure you are going to try it. So in case that
it does not work please report a bug, because it is supposed to
work.<br>
<br>
Thinking about this ... I can see that this process might be a bit
cumbersome and a bit inefficient. Especially considering that
midPoint knows the identity of logged-in user (even in REST). So I
can imagine having a resource something like
<a class="moz-txt-link-freetext" href="http://xxxxx/midpoint/ws/rest/users/self">http://xxxxx/midpoint/ws/rest/users/self</a> that could return the
object representing the logged-in user. This will make it all
easier. However, this is not implemented now. If you want that
please add that as a new feature in jira. However it will need
sponsoring or subscriber endorsement to get implemented anytime
soon.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 07/01/2016 07:50 PM, Gustavo J
Gallardo wrote:<br>
</div>
<blockquote
cite="mid:CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hi all,
<div>we are running midPoint 3.4 and our customer has an
existing web portal where they want to maintain all end-user
interaction.</div>
<div>They are building a component to allow end-users to change
their passwords. We would like them to use the REST API. From
the portal, they will have the username from the session and
present a form to ask the user's old_password and
new_password.</div>
<div><br>
</div>
<div>Our idea so far:</div>
<div>1) Grant our end-users a custom role with <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all">http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all</a></a>
authorization, in addition to the minimum requirements to
change his own credentials and it's shadow's credentials.<br>
</div>
<div>2) use <a moz-do-not-send="true"
href="http://xxxxx/midpoint/ws/rest/users/search">http://xxxxx/midpoint/ws/rest/users/search</a>,
to find the user by name and parsing the XML result to get his
oid.</div>
<div>3) use <a moz-do-not-send="true"
href="http://xxxxxx/midpoint/ws/rest/users/%7Buser_oid%7D">http://xxxxxx/midpoint/ws/rest/users/{user_oid}</a>
to POST an objectModification to set credentials/password</div>
<div>(both REST calls would use username:old_password for
authorization)</div>
<div><br>
</div>
<div>Is this the correct approach? Is there any better/easier
way to achieve this?</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>GJG</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>