[Migration] Account lock behavior when Initial account lock duration is set to 0

[sandushi]

Describe the issue:

• There is a behavior change of the account lock feature when Initial account lock duration is set to 0

• Previous product versions we have allowed to set value 0 to the Initial account lock duration configuration from the UI and when it is set to 0, the account lock feature is behave as below previously.

  • The user will be locked after max failed attempts are reached.
  • The user will be locked until the admin unlock the user in basic authentication.
  • https://is.docs.wso2.com/en/6.1.0/guides/identity-lifecycles/lock-accounts-by-failed-login-attempts/

• Currently, the console does not allow setting the Initial account lock duration to 0; it must be between 1 and 1440 minutes (1 day). As a result, the feature where the user remains locked after the maximum failed attempts, until the admin manually unlocks the account, is not functioning correctly because a value greater than 0 is always required.

• This behavior in the UI poses an issue when migrating from a previous product version to the latest one, especially if the Initial account lock duration was already set to 0. If users attempt to update any other account lock configuration and click the update button, the update will fail because the Initial account lock duration is set to 0. They will be forced to change this value to something greater than 0, which disrupts the use case of indefinitely locking the user until the admin unlocks the account.

How to reproduce:

• Enable the account lock feature and try to set the value Initial account lock duration to 0. You will be not able to do it.
• Try to set it to 0 from a previous product version and migrate to the latest product version. And try to edit another config from the UI of the Login attempts. You will not be able to update it because Initial account lock duration is set to 0 and you have to change it.
• Try out the account lock feature with Initial account lock duration= 0` and after max failed attempts.
  • Setup the usecase in previous version and try to migrate to a new version. then test the use case again.
  • Try to edit another config from the UI of the Login attempts. You will not be able to update it because Initial account lock duration is set to 0 and you have to change it.

Expected behavior:

• The behavior of the previous use case in a older product version should be remain after migrating to the new version.
• Need to document this behavior change on the migration doc.

[sandushi]

• This indefinite account lock duration feature is reintroduced by the below PRs :

  • Support the feature of indefinitely lock the user until the admin unlocks wso2-extensions/identity-outbound-auth-totp#193
  • Add new configuration to indefinitely lock the user util admin unlock identity-apps#6997

• Email Thread: Inconsistency of account lock behavior

• We need to add information about this new UI behavior for the already existing feature in the migration docs.

[nilasini]

@sandushi is there any blockers to merge the PRs?

[nilasini]

@sandushi any update regarding the PRs? Can we please get it merge? Is there any blockers?

[sandushi]

Update

• The back end change is merged.
• Front end PR needs some more improvements to provide the UI with better UX suggested by @brionmario .
• This is also tracked with Inconsistency in totp account lock on max failed attempt #21219