Locking User Accounts

User accounts can be locked by creating a lock. Accounts may have multiple active locks, each of which must be unlocked to unlock the account.

Locked User accounts are prevented from signin in. Access Tokens of locked users are considered invalid. However, relying parties must introspect the token regularly to detect this change.

Locking an account

User accounts can become locked for many reasons:

1. Account is locked by an administrator
2. Account is locked after too many failed password entries - depends on namespace configuration
3. Account has been inactive for too long - depends on namespace configuration

An administrator or an API client can lock another user's account if they meet the following requirements:

• The target user must be visible to them, e.g. they must have access to the target user's namespace
• They must have the permission ACCOUNT_LOCK

Locking with the Management UI

• Select the target User's namespace
• Open the Accounts view
• Find and select the target user
• Select *Actions / Lock selected account

Unlocking with the Management UI

Unlocking can be done through the management UI.

• Select the target User's namespace
• Open the Accounts view
• Find and select the target User
• Select *Actions / Unlock selected account

Lock management with the Management API

To manage locks via the REST API:

• Create a lock
  POST /api/rest/v1/user/{userId}/locks
  Adds a new lock to the specified user account.

• List locks
  GET /api/rest/v1/user/{userId}/locks
  Retrieves all lock associated with the account, including active and unlocked ones.

• Unlock a specific lock
  DELETE /api/rest/v1/user/{userId}/locks/{lockId}
  Unlocks the specified lock. The account is considered unlocked only when all locks have been unlocked.