If OpenAM user datastore is OpenDJ and if OpenDJ has password policy with "force-change-on-reset" is set to true, then OpenDJ will return error upon user's next login and user will be forced to change their password whenever an user's password is changed by admin users.
Unfortunately, this OpenDJ Password Policy doesn't work well with JSON REST "_action=forgotPasswordReset" since it gives user a false perspective that a password has been reset and they can login using the specified password (REST), but in reality they will be asked to change their password again (OpenDJ password policy).
The flow is as follows :
1. use dsconfig command to set "force-change-on-reset: true" for Default Password Policy
2. run forgotPassword command and retrieve confirmationId and tokenId
3. use confirmationId and tokenId to set new password
This make user think that they can now use new password "cangetin" to login to openAM server. However, because of OpenDJ's Default Password Policy, the user will be forced to change their password again upon next login. This is because forgotPasswordReset (IdentityResource.java) will change user's password as admin so OpenDJ will set "pwdReset:true" to user's entry.
This extra step is confusing for users and therefore OpenDJ and OpenAM needs to find a way to work seamlessly.