Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13670

Selfservice password reset token doesn't work in site due to OPENAM-6426


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0,,,, 5.5.2
    • Fix Version/s:, 6.5.0, 6.0.1, 5.5.2
    • Component/s: self-service
    • Labels:
    • Sprint:
      AM Sustaining Sprint 55
    • Story Points:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:


      Bug description

      selfservice snapshot token doesn't work in site again after OPENAM-6426

      How to reproduce the issue

      1. install 2 instances of AM in site with version
      2. configure selfservice under root realm
      3. enable "Forgotten Password", but disable "Email Verification"
      4. retrieve first stage of selfservice flow with AM2
        curl -X POST -v \
          'http://openam.example.com:28080/openam/json/realms/root/selfservice/forgottenPassword?_action=submitRequirements' \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'Accept-API-Version: protocol=1.0,resource=1.0' \
          -H 'Accept: application/json' \
          -d '{"input":{"queryFilter":"uid eq \"testuser001\""}}'
      5. reset password with AM1
        curl -X POST -v \
          'http://openam.example.com:18080/openam/json/realms/root/selfservice/forgottenPassword?_action=submitRequirements' \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'Accept-API-Version: protocol=1.0,resource=1.0' \
          -H 'Accept: application/json' \
          -d '{"token":"eyJ0eXAi...","input":{"password":"cangetin12345"}}'

      After the last step, you will see "Invalid Token" exception in CoreSystem:

      org.forgerock.selfservice.core.AnonymousProcessService:10/03/2018 05:59:35:649 AM NZDT: Thread[http-bio-18080-exec-9,5,main]: TransactionId[ddf5fbab-bcb3-46c0-8bf4-96ccd4636fed-5172]
      Resource exception intercepted
      org.forgerock.json.resource.BadRequestException: Invalid token
              at org.forgerock.selfservice.core.AnonymousProcessService.progressProcess(AnonymousProcessService.java:194) <--- THIS LINE NUMBER
              at org.forgerock.selfservice.core.AnonymousProcessService.handleAction(AnonymousProcessService.java:115)
              at org.forgerock.openam.selfservice.SelfServiceRequestHandler.handleAction(SelfServiceRequestHandler.java:145)
              at org.forgerock.json.resource.Router.handleAction(Router.java:250)
              at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:55)
              at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:81)
      Expected behaviour
      snapshot token should work across sites
      Current behaviour
      invalid token (400) is thrown

      Work around

      use sticky session

      Code analysis

      OPENAM-6426 has introduced a new stage config ActivityAuditStageConfig which was hashing enum. These objects will give different hash code on different VM

          public boolean equals(Object o) {
              if (this == o) {
                  return true;
              if (!(o instanceof ActivityAuditStageConfig)) {
                  return false;
              ActivityAuditStageConfig that = (ActivityAuditStageConfig) o;
              return Objects.equals(getName(), that.getName())
                      && Objects.equals(getProgressStageClassName(), that.getProgressStageClassName())
                      && Objects.equals(realm, that.getRealm())
                      && Objects.equals(eventName, that.getEventName())
                      && Objects.equals(operation, that.getOperation());
          public int hashCode() {
              return Objects.hash(getName(), getProgressStageClassName(), realm, eventName, operation);


          Issue Links



              • Assignee:
                sachiko Sachiko Wallace
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: