How to configure password expire time in bulk import from CSV in WSO2 Identity Server 5.3.0

Question

Hi I am using WSO2 Identity Server 5.3.0. I want to create users by using bulk import from a CSV File. I am able to do it successfully.

Problem Statement:

Users are created successfully but in the documentation link, it is mentioned that the default password expiry for the users is 24 hours. Is there any way possible through configuration that we can turn this setting off. OR Increase the time for this password expiry.

Document Link:

I enabled the Bulk storage from user-mgt.xml file.

 <Property name="MembershipAttribute">member</Property>
            <Property name="BackLinksEnabled">false</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="SCIMEnabled">true</Property>
            <Property name="IsBulkImportSupported">true</Property>
            <Property name="EmptyRolesAllowed">true</Property>
            <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
            <Property name="MultiAttributeSeparator">,</Property>
            <Property name="MaxUserNameListLength">500</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="kdcEnabled">false</Property>
            <Property name="defaultRealmName">WSO2.ORG</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="ConnectionPoolingEnabled">false</Property>
            <Property name="LDAPConnectionTimeout">5000</Property>
            <Property name="ReadTimeout"/>
            <Property name="RetryAttempts"/>  

But I cannot find any configuration here to configure this time.

Answer 1

One other hack would be directly removing this password expiry property for all the users from the userstore database directly. You can simply set "UM_REQUIRE_CHANGE" value for all the users to make their passwords work even after 24hours.

UPDATE UM_USER SET UM_REQUIRE_CHANGE=FALSE;

Further explained in https://stackoverflow.com/a/57944771/2910841

Update: Since WSO2 IS 6.1.0, this expiry time can be configured. Ref: https://github.com/wso2/carbon-kernel/pull/3474

Answer 2

Currently, Identity Server does not have an out-of-box configuration option for making the password validity period to increase or to turn the setting off. However, we can accomplish your requirement of not invalidating the password by writing a custom component by extending relevant UserStoreManager. For this purpose you can write a custom userstore manager extending the default JDBCUserStoreManager which will make the password to be valid for an indefinite period. Please refer [1] for more information regarding this. In this sample extension, you need to only override the method "doAddUser()" by making requestPasswordChange variable to false in order to avoid the invalidation of the password. Sample code is as follows.

public void doAddUser(String userName, Object credential, String[] roleList,
        Map<String, String> claims, String profileName, boolean requirePasswordChange)
        throws UserStoreException {
    super.doAddUser(userName, credential, roleList, claims, profileName, false);

}

[1] https://docs.wso2.com/display/IS530/Writing+a+Custom+User+Store+Manager