Forums - Thread Details
  • State Verified Answer
  • Replies 2 replies
  • Subscribers 320 subscribers
  • Views 509 views
  • Users 0 members are here
Related

Sugar Identity and /me/password endpoints.

Ken McCartney

Hey Everyone!

I have an integration running on an instance that has introduced a password expiration policy.

In the past, I could get around this by using the /me/password (PUT) endpoint, which would update the password and would  also update the "password_last_updated" field regularly.  This "password_last_updated" entry would determine whether the password was expired or not.

Password expiration is now handled by Sugar Identity and the "password_last_updated" field is no longer used. (so no questionable sql update query on our user's record would work either)

The /me/password (PUT) endpoint no longer works with Sugar Identity.

{
    "old_password" : "-password-",
    "new_password" : "-password-"
}

This is the response I get:

{
    "valid": false,
    "message": "Error: Incorrect password."
}

This is false, even though the password here was also used to get the token for this call. I can only assume that this is because of changes linked to the enabling of Sugar Identity.

Is there a way to work around this, other than changing a Sugar Identity password regularly or changing the password policy?

Thanks!

  • +1

    Hi Ken,

    If your instance is using Sugar Identity, there is no way around it, you have to refresh user's password there. Even if you try to click on the "Change Password" menu item in SugarCRM UI, you will see that it re-direct you to the Sugar Identity page to change the password.

    I believe there is an API Sugar Identity Team is working on at the moment, but it will not be available anywhere soon.

    Unfortunately, there is no other way except for the Sugar Identity where you can update the user's password.

    On the other side, Sugar Identity is a web application with all the HTTP requests and responses. I can see that there is a POST request to change the password (if you try to change the password for the current user from the SugarCRM side). For that, you have to be authorized on the Sugar Identity and send the correct csrf_token, together with the old and the new passwords. I am not saying it will be easy Slight smile 

    I hope that will help you.

    Best regards,
    Konstantin

  • 0 in reply to Constantine Shpikat

    Thanks.  It is as I suspected.  We'll just have to deal with it for the time being.