[OPENAM-14705]  AM versions since 6 do not document Changes introduced in OPENAM-8349 Created: 01/Apr/19  Updated: 11/Sep/19  Resolved: 07/May/19

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 6.5.0,, 7.0.0
Fix Version/s:, 6.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: William Hepler Assignee: Cristina Herraz
Resolution: Fixed Votes: 0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

AM 6.x release notes

Issue Links:
Rank: 1|hzxrjz:
Sprint: AM 2019.6 - Lathe
Story Points: 3
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
No (add reasons in the comment)


Bug description

The Password reset email token can no longer be reused multiple times. This may change the flow of customizations or applications that use this user self service feature. 

How to reproduce the issue

  1. Checking release notes there is only a section on:

Forgotten Password Account Lockout Feature

AM 6 provides new properties to limit the number of attempts allowed at answering security questions (KBA), and to lock the account if exceeded. The properties are as follows:

  • Enforce password reset lockout (forgotten.password.kba.number.of.allowed.attempts.enforced)
  • Lock Out After number of attempts (forgotten.password.kba.number.of.allowed.attempts)
  1. There is no mention to this security improvement or change.
Expected behaviour
You would be able to click on the recovery password link multiple times and still recover your password
Current behaviour
The URL is only useable once, if you fail, you need to initiate receiving an email again. 

Comment by Cristina Herraz [ 02/Apr/19 ]

Would be useful to add a mention about this in the USS book and then, in 6.0 RNs.

Comment by Cristina Herraz [ 07/May/19 ]

Added a note to the USS guide, and a RN for 6.

Generated at Sat Feb 27 04:25:33 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.