[OPENAM-5148] URL links in email sent from REST forgotPassword or register is not URLEncoded Created: 27/Nov/14 Updated: 20/Nov/16 Resolved: 26/Jan/15
|Affects Version/s:||11.0.0, 11.0.1, 11.0.2|
|Fix Version/s:||11.0.3, 12.0.1, 13.0.0|
|Reporter:||Sachiko Wallace||Assignee:||Sachiko Wallace|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||Sprint 76 - Sustaining|
|Support Ticket IDs:|
We have noticed an issue with OpenAM’s REST based password reset service. When OpenAM sends out the forgot password email to the user, it contains a password reset link that contains various pieces of information (confirmationId, tokenId, and the username) - see below.
The tokens seem to be randomly generated and occasionally will contain a plus sign ("+") embedded somewhere in the token data. The token data does not appear to be URLEncoded.