Supporting Multiple Notification Channels for Username Recovery and Password Recovery

[somindatommy]

Related to issue: #6116

Issue

There are several limitations in the username and password recovery APIs

• Currently IS supports account recovery via emails. Therefore, the users must have a email address in order to support account recovery. If a user does not have a email address, the user is enable to recover the account which has become a major limitation of the recovery APIs.
• Username recovery supports, recovery user name providing multiple claims to identify the user. But the password recovery api only support user identification via username. There are no additional claims to identity the user other than username.

Goals

• Support mobile and email channels for user account recovery.
• Support multiple claims for password recovery.
• Support account recovery when the notifications are externally managed.

Approach

• New user account recovery endpoint to support username and password recovery with multiple notification channels.
• New APIs returns available verified notification channels available for the user and ask users preference to receive recovery details and then proceed with the recovery flow.