Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5159

Request to improve REST forgotPasswordReset page flow

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.2
    • Fix Version/s: 6.0.0
    • Component/s: rest
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      If OpenAM user datastore is OpenDJ and if OpenDJ has password policy with "force-change-on-reset" is set to true, then OpenDJ will return error upon user's next login and user will be forced to change their password whenever an user's password is changed by admin users.

      Unfortunately, this OpenDJ Password Policy doesn't work well with JSON REST "_action=forgotPasswordReset" since it gives user a false perspective that a password has been reset and they can login using the specified password (REST), but in reality they will be asked to change their password again (OpenDJ password policy).

      The flow is as follows :
      1. use dsconfig command to set "force-change-on-reset: true" for Default Password Policy
      2. run forgotPassword command and retrieve confirmationId and tokenId

      curl \
       --request POST \
       --header "Content-Type: application/json" \
       --data '{
         "username": "testuser01",
         "subject": "Reset your forgotten password with OpenAM",
         "message": "Follow this link to reset your password"
       }' \
      http://openam.example.com:18080/opensso/json/users/?_action=forgotPassword
      

      3. use confirmationId and tokenId to set new password

      curl \
       --request POST \
       --header "Content-Type: application/json" \
       --data '{
       "username":"testuser01",
       "userpassword":"cangetin",
       "tokenId":"pu8l831NdGO8qDLiCKUQF0XRV3A=",
       "confirmationId":"q5q3BVTLV5pL9wKsgrgFIsJ5gGs="
       }' \
       http://authz.example.com:18080/opensso/json/users?_action=forgotPasswordReset
      

      This make user think that they can now use new password "cangetin" to login to openAM server. However, because of OpenDJ's Default Password Policy, the user will be forced to change their password again upon next login. This is because forgotPasswordReset (IdentityResource.java) will change user's password as admin so OpenDJ will set "pwdReset:true" to user's entry.

      This extra step is confusing for users and therefore OpenDJ and OpenAM needs to find a way to work seamlessly.

        Attachments

        1. 6.sh
          0.3 kB
        2. 6privilege.sh
          0.1 kB
        3. privilege.ldif
          2 kB
        4. privilege1.ldif
          0.1 kB

          Issue Links

            Activity

              People

              • Assignee:
                kajetan.hemzaczek Kajetan Hemzaczek
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                4 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: