This applies to both lost and compromised passwords.
Example:
PATCH /users/{user_id}
{"user": {"password": "new-password"}}
Consequences:
- Token revocation event immediately emmitted
- New password immediately takes effect
- All old passwords are immediately expired
Example:
POST /users/{user_id}/password
{"user": {"original_password": "old-password", "password": "new-password"}}
Consequences:
- New password immediately takes effect
- A revocation event is emitted and the old password no longer works
Example:
POST /users/{user_id}/OS-PW-ROTATE/password
{"user": {"original_password": "old-password", "password": "new-password"}}
Consequences:
- New password immediately takes effect
- The old password is still available for the duration of the deployer-defined grace period (and no revocation events are ever emitted)
Expire old passwords:
DELETE /users/{user_id}/OS-PW-ROTATE/old_passwords