Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13899

XUI - USS - Forgotten Password flow without KBA ends up in a loop

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 14.0.0, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5
    • None
    • self-service, XUI
    • Rank:
      1|hzx23z:

      Description

      Bug description

      Documentation has been updated on  ---OPENAM-11979---, however, the XUI bug is still valid and needs to be fixed (as the user can remove the security question at any point).

      Forgot Password flow with Security Questions enabled works if only the user has security questions added. However, there are 2 cases we can't control at the moment:

      • Users are able to remove all their Security Questions(with Security Questions enabled), perhaps there should be a warning/error message to prevent this?
      • Users without Security Questions, can't reset their password and end up in the loop of emails(see reproduction steps).

      How to reproduce the issue

      1. Added USS Service with Forgotten Password and Security Questions enabled
      2. Added the Email Service (e.g fakeSMPT)
      3. Navigate to the Login page and Click ''Forgot Password'' 
      4. Use the username on the "Reset My Password" page
      5. Email sent (get the URL decoded e.g with http://www.webatic.com/run/convert/qp.php)
      6. Use the URL above: it redirects you to #continuePasswordReset page, which is step 4 and loop never ends

      Now, if you add a security question in the user profile page, and retry the above steps, reset password is possible (and you are asked the security question obvisouly).

      Expected behaviour
      Return an error page(e.g reset password is not allowed as there is no KBA set on the profile - Contact Admin), or allow the user to reset his password?
      
      Current behaviour
      Without a security question set, you are redirected to the #continueResetPassword page and it's impossible to reset the password.
      

       

        Attachments

          Activity

            People

            Unassigned Unassigned
            anastasios.kampas Anastasios Kampas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: