Add documentation for password reset enforcer

[NipuniBhagya]

Purpose

This pull request updates the documentation for configuring rule-based password expiration to clarify how password expiry enforcement can be targeted to all organization users or only to specific application login flows. It also adds helpful notes and tips to guide users through the configuration process.

Documentation improvements for password expiration configuration:

• Clarified the Enforce password expiry for option, explaining the difference between enforcing password expiry for all organization users versus specific application login flows in both account-configurations/login-security/password-validation.md and user-accounts/account-security/password-validation.md. [1] [2]
• Added a note explaining that selecting "Specific application login flows" disables organization-wide enforcement, and that "All organization users" maintains the default behavior. [1] [2]
• Included a tip on how to enforce password expiry for a specific application by configuring its login flow, with a reference to the relevant configuration guide. [1] [2]
• Improved the step-by-step instructions and re-ordered steps for clarity, ensuring users understand when and how to set default and custom expiry rules. [1] [2]

Related Issue

• https://github.com/wso2-enterprise/asgardeo-product/issues/34875

Test environment

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 43a9176c-a557-454f-9280-9813162516de

📥 Commits

Reviewing files that changed from the base of the PR and between 6c10a0f and 0b4a707.

📒 Files selected for processing (1)

• en/includes/guides/account-configurations/login-security/password-validation.md

🚧 Files skipped from review as they are similar to previous changes (1)

• en/includes/guides/account-configurations/login-security/password-validation.md

---

📝 Walkthrough

Walkthrough

Introduces an Asgardeo-only "Enforce password expiry for" selector in rule-based password expiration (All application login flows vs Selected application login flows), documents enforcing expiry per application via the Password Reset Enforcer, adds an adaptive script example for post-reset re-authentication, and renumbers steps accordingly.

Changes

Cohort / File(s)

Summary

Password Validation Documentation en/includes/guides/account-configurations/login-security/password-validation.md

Added an Asgardeo-only selector step "Enforce password expiry for" (All application login flows vs Selected application login flows). Inserted Asgardeo-specific guidance on enforcing expiry per application using the Password Reset Enforcer login-flow step. Added an adaptive script example using passwordResetComplete and fail() to require re-authentication after password reset. Adjusted step numbering for Asgardeo branch; non-Asgardeo flow retains default steps but shifts position due to the new selector.

Suggested labels

Team/Authentication & registration, Team/User & identity administration

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add documentation for password reset enforcer' is partially related to the changeset. The PR primarily updates password expiration documentation with clarifications and improved instructions, but the title focuses narrowly on 'password reset enforcer' which is only one small aspect mentioned in a tip section.	Consider revising the title to better reflect the main change, such as 'Clarify password expiration enforcement options in documentation' or 'Update password expiration documentation with enforcement guidance'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description covers the Purpose and Related Issue sections well, explaining the documentation improvements clearly. However, the Test environment section is empty (marked with a comment placeholder), and the Security checks section contains unchecked checkboxes without any substantive content or explanations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Line 46: Replace the word "that" with "who" in the sentence "Set a default
password expiry rule that applies to any user that does not meet the custom
criteria." so it reads "Set a default password expiry rule that applies to any
user who does not meet the custom criteria."; locate this sentence in the
login-security/password-validation.md content and update the pronoun to "who" to
follow the plain-language guideline.
- Around line 52-57: The admonition bodies for the `!!! note` and `!!! tip`
blocks are not indented, so move the paragraph lines under each admonition to be
indented (e.g., prefix with two spaces) so they are nested inside the `!!! note`
and `!!! tip` blocks; target the `!!! note` and `!!! tip` markers in
password-validation.md and indent the subsequent explanatory lines to fix
rendering.

In `@en/includes/guides/user-accounts/account-security/password-validation.md`:
- Line 34: Replace "that" with "who" in the sentence "Set a default password
expiry rule that applies to any user that does not meet the custom criteria." so
it reads "Set a default password expiry rule that applies to any user who does
not meet the custom criteria." Locate this exact sentence in the document
(password-validation.md) and update the wording to use "who" for person-first
phrasing while keeping the rest of the sentence unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5edbe26e-734a-4bd5-995d-744948688b33

📥 Commits

Reviewing files that changed from the base of the PR and between 756a098 and 7316bac.

📒 Files selected for processing (2)

• en/includes/guides/account-configurations/login-security/password-validation.md
• en/includes/guides/user-accounts/account-security/password-validation.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use “who” for people

Line 34 should use “who” instead of “that” for person-first wording.

✏️ Proposed fix

-3. Set a default password expiry rule that applies to any user that does not meet the custom criteria.
+3. Set a default password expiry rule that applies to any user who does not meet the custom criteria.

As per coding guidelines: "Use plain language and short sentences."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	3. Set a default password expiry rule that applies to any user that does not meet the custom criteria.
	3. Set a default password expiry rule that applies to any user who does not meet the custom criteria.

🧰 Tools

🪛 LanguageTool

[style] ~34-~34: Consider using “who” when you are referring to a person instead of an object.
Context: ...rd expiry rule that applies to any user that does not meet the custom criteria. 4. ...

(THAT_WHO)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/includes/guides/user-accounts/account-security/password-validation.md` at
line 34, Replace "that" with "who" in the sentence "Set a default password
expiry rule that applies to any user that does not meet the custom criteria." so
it reads "Set a default password expiry rule that applies to any user who does
not meet the custom criteria." Locate this exact sentence in the document
(password-validation.md) and update the wording to use "who" for person-first
phrasing while keeping the rest of the sentence unchanged.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

en/includes/guides/account-configurations/login-security/password-validation.md (1)

75-75: ⚠️ Potential issue | 🟡 Minor

Use “who” for people

Line 75 should use “who” instead of “that” in “any user that does not meet…”.

✏️ Suggested edit

-3. Set a default password expiry rule that applies to any user that does not meet the custom criteria.
+3. Set a default password expiry rule that applies to any user who does not meet the custom criteria.

As per coding guidelines: “Use plain language and short sentences.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/account-configurations/login-security/password-validation.md`
at line 75, Update the sentence "Set a default password expiry rule that applies
to any user that does not meet the custom criteria." to use "who" for people:
change "any user that does not meet the custom criteria" to "any user who does
not meet the custom criteria" so the sentence reads "Set a default password
expiry rule that applies to any user who does not meet the custom criteria."

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Around line 44-45: Replace all instances of "sign in" with the
repository-standard verb "log in" in the two bullet descriptions for **All
application login flows** and **Selected application login flows** so the text
reads "upon log in" and "when users log in to applications" (and also update the
other occurrence mentioned at lines 53-53) to ensure consistent use of "log in"
(verb) and "login" (noun/adjective) across the doc.
- Line 48: Update the link in the sentence that starts "To enforce password
expiry for a specific application, add the Password Reset Enforcer..." so it
points directly to the task-oriented guide for configuring an application's
login flow with the Password Reset Enforcer (replace the broad "Configure login
flows" link target and anchor text with a specific "Configure an application's
login flow" or "Add Password Reset Enforcer to an application login flow" page);
locate the sentence containing "Password Reset Enforcer" in
password-validation.md and change the href and link text to the specific task
page that shows how to add the Password Reset Enforcer to an application's login
flow.

---

Duplicate comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Line 75: Update the sentence "Set a default password expiry rule that applies
to any user that does not meet the custom criteria." to use "who" for people:
change "any user that does not meet the custom criteria" to "any user who does
not meet the custom criteria" so the sentence reads "Set a default password
expiry rule that applies to any user who does not meet the custom criteria."

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c7306ece-888f-4e14-adb3-928596b8f0c7

📥 Commits

Reviewing files that changed from the base of the PR and between 7316bac and c312cac.

⛔ Files ignored due to path filters (2)

• en/asgardeo/docs/assets/img/guides/organization/account-security/password-validation/password-expiration.png is excluded by !**/*.png
• en/asgardeo/docs/assets/img/guides/organization/account-security/password-validation/password-expiry-reset-enforcer.png is excluded by !**/*.png

📒 Files selected for processing (1)

• en/includes/guides/account-configurations/login-security/password-validation.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make the per-application setup link more task-directed

Line 48 points to a broad authentication overview. For this step, readers need a direct path to configure an application login flow with Password Reset Enforcer; otherwise the instruction is hard to execute.

As per coding guidelines: “Task-based documentation must follow a logical, goal-oriented structure” and links should support actionable completion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/account-configurations/login-security/password-validation.md`
at line 48, Update the link in the sentence that starts "To enforce password
expiry for a specific application, add the Password Reset Enforcer..." so it
points directly to the task-oriented guide for configuring an application's
login flow with the Password Reset Enforcer (replace the broad "Configure login
flows" link target and anchor text with a specific "Configure an application's
login flow" or "Add Password Reset Enforcer to an application login flow" page);
locate the sentence containing "Password Reset Enforcer" in
password-validation.md and change the href and link text to the specific task
page that shows how to add the Password Reset Enforcer to an application's login
flow.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

en/includes/guides/account-configurations/login-security/password-validation.md (1)

18-18: ⚠️ Potential issue | 🟡 Minor

Remove trailing spaces.

Line 18 has 4 trailing spaces, which violates Markdown formatting rules. Remove them to fix the linting failure.

🧹 Proposed fix

-    ![Reset Password]({{base_path}}/assets/img/guides/organization/account-security/password-validation/reset-password.png){: width="400" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+    ![Reset Password]({{base_path}}/assets/img/guides/organization/account-security/password-validation/reset-password.png){: width="400" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
     

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/account-configurations/login-security/password-validation.md`
at line 18, Remove the 4 trailing spaces in the Markdown file
password-validation.md on the affected line (the blank/paragraph at line 18) so
the line ends with no extra whitespace; simply delete the trailing spaces and
save the file to resolve the linting failure.

♻️ Duplicate comments (1)

en/includes/guides/account-configurations/login-security/password-validation.md (1)

48-48: ⚠️ Potential issue | 🟠 Major

The link to "Configure login flows" is too broad for this task.

This line instructs users to add the Password Reset Enforcer to an application's login flow, but the link points to a general authentication overview. Readers need a direct path to the specific procedure for adding an authenticator to an application login flow to complete this task.

As per coding guidelines: "Task-based documentation must follow a logical, goal-oriented structure" and "Use descriptive link text for internal links and prefer linking to canonical pages."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/account-configurations/login-security/password-validation.md`
at line 48, Replace the broad "Configure login flows" link with a direct,
canonical page that outlines how to add an authenticator to an application's
login flow; update the link text to something descriptive like "Add an
authenticator to an application's login flow" and ensure it points to the
specific procedure for adding the Password Reset Enforcer (referencing the
"Password Reset Enforcer" phrase and the existing link text "Configure login
flows" to locate the line to change).

🧹 Nitpick comments (1)

en/includes/guides/account-configurations/login-security/password-validation.md (1)

48-48: Format "Password Reset Enforcer" as a UI element.

"Password Reset Enforcer" is a specific authenticator feature and should be formatted in bold to match the treatment of other UI elements and features in the documentation.

🎨 Proposed formatting fix

-            To enforce password expiry for a specific application, add the Password Reset Enforcer as an authentication step in the application's login flow. See [Configure login flows]({{base_path}}/guides/authentication/) for instructions.
+            To enforce password expiry for a specific application, add the **Password Reset Enforcer** as an authentication step in the application's login flow. See [Configure login flows]({{base_path}}/guides/authentication/) for instructions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/account-configurations/login-security/password-validation.md`
at line 48, Update the documentation sentence that mentions the specific
authenticator by formatting the phrase "Password Reset Enforcer" as a UI element
(bold) to match other feature names; locate the sentence that reads "To enforce
password expiry for a specific application, add the Password Reset Enforcer as
an authentication step..." and change only the visual formatting of the token
"Password Reset Enforcer" to bold while keeping the rest of the text unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Around line 75-77: Rename the numbered list items in password-validation.md so
that when the Asgardeo-only block is omitted the sequence reads 1,2,3 (change
the current "3. Set a default..." to "2." and "4. Click Add Rule..." to "3.");
wrap the numbers in the existing Jinja conditional logic so that if the Asgardeo
block is present they render as 3 and 4 and otherwise as 2 and 3, and also
replace the word "subsequent" with "Each" in the "Click **Add Rule**" sentence
to address the Vale warning.

---

Outside diff comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Line 18: Remove the 4 trailing spaces in the Markdown file
password-validation.md on the affected line (the blank/paragraph at line 18) so
the line ends with no extra whitespace; simply delete the trailing spaces and
save the file to resolve the linting failure.

---

Duplicate comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Line 48: Replace the broad "Configure login flows" link with a direct,
canonical page that outlines how to add an authenticator to an application's
login flow; update the link text to something descriptive like "Add an
authenticator to an application's login flow" and ensure it points to the
specific procedure for adding the Password Reset Enforcer (referencing the
"Password Reset Enforcer" phrase and the existing link text "Configure login
flows" to locate the line to change).

---

Nitpick comments:
In
`@en/includes/guides/account-configurations/login-security/password-validation.md`:
- Line 48: Update the documentation sentence that mentions the specific
authenticator by formatting the phrase "Password Reset Enforcer" as a UI element
(bold) to match other feature names; locate the sentence that reads "To enforce
password expiry for a specific application, add the Password Reset Enforcer as
an authentication step..." and change only the visual formatting of the token
"Password Reset Enforcer" to bold while keeping the rest of the text unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 8ceac688-39dc-424c-969a-746f9d3f91c3

📥 Commits

Reviewing files that changed from the base of the PR and between c312cac and 6c10a0f.

📒 Files selected for processing (1)

• en/includes/guides/account-configurations/login-security/password-validation.md

[himeshsiriwardana]

Suggested change

	2. In the **Enforce password expiry for** field, select who the password expiry policy applies to:
	2. Select the users to whom the password expiry policy should apply using the **Enforce password expiry for** field.:

[himeshsiriwardana]

Suggested change

	- **All application login flows** (default): Enforces password expiry for all users upon login, regardless of which application they log in to.
	- **All application login flows**: Applies the password expiry policy to all users during login, regardless of the application they access. This is the default behavior.

[himeshsiriwardana]

Suggested change

	- **Selected application login flows**: Enforces password expiry only when users log in to applications where password expiry has been enabled in the login flow. When selected, organization-wide password expiry enforcement is disabled.
	- **Selected application login flows**: Enforces password expiry only when users log in to applications that have enabled this in the login flow. Selecting this option disables organization-wide password expiry enforcement..