Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5148

URL links in email sent from REST forgotPassword or register is not URLEncoded

    Details

    • Sprint:
      Sprint 76 - Sustaining
    • Support Ticket IDs:

      Description

      We have noticed an issue with OpenAM’s REST based password reset service. When OpenAM sends out the forgot password email to the user, it contains a password reset link that contains various pieces of information (confirmationId, tokenId, and the username) - see below.

      Follow this link to reset your password
      http://openam.example.com:18080/opensso/XUI/confirm.html?confirmationId=q5q3BVTLV5pL9wKsgrgFIsJ5gGs=&tokenId=pu8l831NdGO8qDLiCKUQF0XRV3A=&username=testuser01
      

      The tokens seem to be randomly generated and occasionally will contain a plus sign ("+") embedded somewhere in the token data. The token data does not appear to be URLEncoded.

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: