When password reset questions are created as explained in https://backstage.forgerock.com/#!/docs/openam/11.0.0/admin-guide/chap-pwd-reset#set-up-pwd-reset-service, only the first question in the list is selected when the user tries to reset their password.
Steps to recreate:
- Set up password reset questions as explained in the above document.
- Add an email service for the realm you a testing in.
- Add REST Security service for the realm you are testing in to enable Forgot Password for User.
- Add Password Reset service for the realm you are testing in.
- Add list of Secret Questions created from step 1.
- Navigate to http://openam.example.com:8080/openam/password and enter user ID you will now see the security question that is first in the list of questions no matter how many times you try to get a different question.
- Delete the first question from the Secret Question list in Password Reset. Complete step 5 to verify that the question asked is always the first question.