[OPENAM-5148] URL links in email sent from REST forgotPassword or register is not URLEncoded Created: 27/Nov/14  Updated: 20/Nov/16  Resolved: 26/Jan/15

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 11.0.0, 11.0.1, 11.0.2
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Sprint 76 - Sustaining
Support Ticket IDs:


We have noticed an issue with OpenAM’s REST based password reset service. When OpenAM sends out the forgot password email to the user, it contains a password reset link that contains various pieces of information (confirmationId, tokenId, and the username) - see below.

Follow this link to reset your password

The tokens seem to be randomly generated and occasionally will contain a plus sign ("+") embedded somewhere in the token data. The token data does not appear to be URLEncoded.

Generated at Wed Oct 21 09:37:04 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.