Details
Description
If OpenAM user datastore is OpenDJ and if OpenDJ has password policy with "force-change-on-reset" is set to true, then OpenDJ will return error upon user's next login and user will be forced to change their password whenever an user's password is changed by admin users.
Unfortunately, this OpenDJ Password Policy doesn't work well with JSON REST "_action=forgotPasswordReset" since it gives user a false perspective that a password has been reset and they can login using the specified password (REST), but in reality they will be asked to change their password again (OpenDJ password policy).
The flow is as follows :
1. use dsconfig command to set "force-change-on-reset: true" for Default Password Policy
2. run forgotPassword command and retrieve confirmationId and tokenId
curl \ --request POST \ --header "Content-Type: application/json" \ --data '{ "username": "testuser01", "subject": "Reset your forgotten password with OpenAM", "message": "Follow this link to reset your password" }' \ http://openam.example.com:18080/opensso/json/users/?_action=forgotPassword
3. use confirmationId and tokenId to set new password
curl \ --request POST \ --header "Content-Type: application/json" \ --data '{ "username":"testuser01", "userpassword":"cangetin", "tokenId":"pu8l831NdGO8qDLiCKUQF0XRV3A=", "confirmationId":"q5q3BVTLV5pL9wKsgrgFIsJ5gGs=" }' \ http://authz.example.com:18080/opensso/json/users?_action=forgotPasswordReset
This make user think that they can now use new password "cangetin" to login to openAM server. However, because of OpenDJ's Default Password Policy, the user will be forced to change their password again upon next login. This is because forgotPasswordReset (IdentityResource.java) will change user's password as admin so OpenDJ will set "pwdReset:true" to user's entry.
This extra step is confusing for users and therefore OpenDJ and OpenAM needs to find a way to work seamlessly.
Attachments
Issue Links
- is duplicated by
-
OPENAM-6618 OpenAM "Forgot Password" makes the user change their password twice, if the OpenDJ Password Policy includes "force-change-on-reset"
-
- Resolved
-
- is related to
-
OPENAM-3877 Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate
-
- Resolved
-
-
OPENAM-5158 PWResetQuestion is using hard coded attribute to expire password
-
- Closed
-
-
OPENAM-12517 Docs - Request to improve REST forgotPasswordReset page flow
-
- Resolved
-
- relates to
-
OPENAM-17157 Password reset via admin console with Proxied Authorization enabled is not possible
-
- In Progress
-
-
OPENAM-6675 OpenAM 11.0.2 and 11.0.3 (non XUI GUI) user self password change triggers the force-change-on-reset
-
- Resolved
-
1.
|
Review DoD |
![]() |
Closed | Unassigned |