[OPENAM-3877] Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 11.0.0
Fix Version/s: 11.0.3, 12.0.1, 13.0.0
Component/s: rest
Labels:
- EDISON
- release-notes
Environment:
CentOS 6.4
Tomcat

Target Version/s:

11.0.3, 12.0.1, 13.0.0
Rank:
1|hzltbj:

Sprint:
Sprint 76 - Sustaining
Epic Link:
Password Policy Rationalization

Support Ticket IDs:

Description

When changing password through the new REST interface, the IdentityResource#checkValidPassword method tries to authenticate the user in the realm (using the default chain for the realm), but does not have access to the AuthN context. If the authentication needs anything else than the username/oldpassword (e.g. historical IP address in adaptive risk module), the authentication fails and the password can not be changed.

Attachments

Issue Links

is duplicated by

OPENAM-5557 XUI fails on password change with WDSSO enabled

Resolved

relates to

OPENAM-5562 Users can't change password via XUI/REST API after OPENAM-3877 when using embedded

Resolved

OPENAM-6867 changePassword REST endpoint is not returning LDAP issues that are related to a user mistake.

Resolved

OPENAM-5159 Request to improve REST forgotPasswordReset page flow

Resolved

Activity

People

Assignee:

Peter Major [X] (Inactive)

Reporter:

Nathalie Hoet

Votes:

0 Vote for this issue

Watchers:

8 Start watching this issue

Dates

Created:

16/Apr/14 4:32 PM

Updated:

20/Nov/16 12:09 PM

Resolved:

11/Feb/15 2:27 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: