Documentation has been updated on ---
---, however, the XUI bug is still valid and needs to be fixed (as the user can remove the security question at any point). OPENAM-11979
Forgot Password flow with Security Questions enabled works if only the user has security questions added. However, there are 2 cases we can't control at the moment:
- Users are able to remove all their Security Questions(with Security Questions enabled), perhaps there should be a warning/error message to prevent this?
- Users without Security Questions, can't reset their password and end up in the loop of emails(see reproduction steps).
- Added USS Service with Forgotten Password and Security Questions enabled
- Added the Email Service (e.g fakeSMPT)
- Navigate to the Login page and Click ''Forgot Password''
- Use the username on the "Reset My Password" page
- Email sent (get the URL decoded e.g with http://www.webatic.com/run/convert/qp.php)
- Use the URL above: it redirects you to #continuePasswordReset page, which is step 4 and loop never ends
Now, if you add a security question in the user profile page, and retry the above steps, reset password is possible (and you are asked the security question obvisouly).