Remove Password Age Policy

Question

Remove Password Age Policy

Closed this issue 22 days ago · 7 comments

The password age policy can be managed but it doesn't do anything. This is confusing and we basically maintain dead code. The feature has not enough requests that justifies finishing its implementation. Our data doesn't show any signs of usage. Therefore we deprecate the APIs and then delete them.

As a user, I only want to wrap my head around methods that actually matter, so that I don't waste my time.
As a developer, I want to maintain code that is actually used, so that I don't waste my time.

Acceptance Criteria

Methods are marked as deprecated and as noop methods in docs.
Logs print deprecation warnings when the methods are called.
Their removal is announced with an exact release version in docs and logs.
Methods, code, default config and translations related to password age policies eventually are removed.

Answer 1 · 2024-05-30T19:43:01.000Z

@hifabienne do you have something to add?

Answer 2 · 2024-05-31T06:03:40.000Z

Do we need to deprecate them before we can delete? as they are actually not implemented can't we just delete them?
Is it a breaking change if you remove something that never was implemented?

Answer 3 · 2024-05-31T06:16:12.000Z

They are implemented, the policy just doesn't do anything. This means theoretically, clients could stop working.

Answer 4 · 2024-05-31T14:49:50.000Z

Ok. I missunderstood, I thought its not even implemented in the backend and we do not store it.
In that case I am fine with the deprecation warning, do we already have a timeline when we will remove after deprecation?

Answer 5 · 2024-05-31T15:02:43.000Z

Ok. I missunderstood, I thought its not even implemented in the backend and we do not store it.
In that case I am fine with the deprecation warning, do we already have a timeline when we will remove after deprecation?

I'd have the warning in two minors and remove it in the third. I will deprecate the methods today.

Answer 6 · 2024-06-04T06:19:39.000Z

Hi there. By the way, I have a related question about this functionality #8048.

In short, in my project, I need to force users to change their passwords every N months, and I am trying to figure out how to achieve this after I've found that Zitadel doesn't implement this.

Can someone point me out how to at least find the time of the user's last password change?

Thenk you.

Answer 7 · 2024-06-04T14:29:31.000Z

We rethought this and come up with another solution