Local user password change (embedded IdP) (#5132)

2026-04-16 07:16:38 +00:00 · 2026-01-20 14:16:42 +01:00
parent 50da5074e7
commit a0b0b664b6
12 changed files with 754 additions and 320 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -44,6 +44,20 @@ tags:

 components:
  schemas:
+    PasswordChangeRequest:
+      type: object
+      properties:
+        old_password:
+          description: The current password
+          type: string
+          example: "currentPassword123"
+        new_password:
+          description: The new password to set
+          type: string
+          example: "newSecurePassword456"
+      required:
+        - old_password
+        - new_password
    WorkloadType:
      type: string
      description: |
@@ -3205,6 +3219,43 @@ paths:
          "$ref": "#/components/responses/forbidden"
        '500':
          "$ref": "#/components/responses/internal_error"
+  /api/users/{userId}/password:
+    put:
+      summary: Change user password
+      description: Change the password for a user. Only available when embedded IdP is enabled. Users can only change their own password.
+      tags: [ Users ]
+      security:
+        - BearerAuth: [ ]
+        - TokenAuth: [ ]
+      parameters:
+        - in: path
+          name: userId
+          required: true
+          schema:
+            type: string
+          description: The unique identifier of a user
+      requestBody:
+        description: Password change request
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PasswordChangeRequest'
+      responses:
+        '200':
+          description: Password changed successfully
+          content: {}
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '412':
+          description: Precondition failed - embedded IdP is not enabled
+          content: { }
+        '500':
+          "$ref": "#/components/responses/internal_error"
  /api/users/current:
    get:
      summary: Retrieve current user
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -1201,6 +1201,15 @@ type OSVersionCheck struct {
 	Windows *MinKernelVersionCheck `json:"windows,omitempty"`
 }

+// PasswordChangeRequest defines model for PasswordChangeRequest.
+type PasswordChangeRequest struct {
+	// NewPassword The new password to set
+	NewPassword string `json:"new_password"`
+
+	// OldPassword The current password
+	OldPassword string `json:"old_password"`
+}
+
 // Peer defines model for Peer.
 type Peer struct {
 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
@@ -2354,6 +2363,9 @@ type PostApiUsersJSONRequestBody = UserCreateRequest
 // PutApiUsersUserIdJSONRequestBody defines body for PutApiUsersUserId for application/json ContentType.
 type PutApiUsersUserIdJSONRequestBody = UserRequest

+// PutApiUsersUserIdPasswordJSONRequestBody defines body for PutApiUsersUserIdPassword for application/json ContentType.
+type PutApiUsersUserIdPasswordJSONRequestBody = PasswordChangeRequest
+
 // PostApiUsersUserIdTokensJSONRequestBody defines body for PostApiUsersUserIdTokens for application/json ContentType.
 type PostApiUsersUserIdTokensJSONRequestBody = PersonalAccessTokenRequest