[OPENAM-5159] Request to improve REST forgotPasswordReset page flow Created: 30/Nov/14 Updated: 07/Dec/20 Resolved: 09/Mar/18
|Reporter:||Sachiko Wallace||Assignee:||Kajetan Hemzaczek|
|Labels:||AME, Must-Fix, TESLA|
|Σ Remaining Estimate:||Not Specified||Remaining Estimate:||Not Specified|
|Σ Time Spent:||Not Specified||Time Spent:||Not Specified|
|Σ Original Estimate:||Not Specified||Original Estimate:||Not Specified|
|Attachments:||6.sh 6privilege.sh privilege.ldif privilege1.ldif|
|Sprint:||Zelda - Team Tesla 2018.2, Angband - Team Tesla 2018.3|
|Epic Link:||Password Policy Rationalization|
|Support Ticket IDs:|
If OpenAM user datastore is OpenDJ and if OpenDJ has password policy with "force-change-on-reset" is set to true, then OpenDJ will return error upon user's next login and user will be forced to change their password whenever an user's password is changed by admin users.
Unfortunately, this OpenDJ Password Policy doesn't work well with JSON REST "_action=forgotPasswordReset" since it gives user a false perspective that a password has been reset and they can login using the specified password (REST), but in reality they will be asked to change their password again (OpenDJ password policy).
The flow is as follows :
3. use confirmationId and tokenId to set new password
This make user think that they can now use new password "cangetin" to login to openAM server. However, because of OpenDJ's Default Password Policy, the user will be forced to change their password again upon next login. This is because forgotPasswordReset (IdentityResource.java) will change user's password as admin so OpenDJ will set "pwdReset:true" to user's entry.
This extra step is confusing for users and therefore OpenDJ and OpenAM needs to find a way to work seamlessly.
|Comment by Sachiko Wallace [ 30/Nov/14 ]|
NOTE: user is forced to set force-change-on-reset: true on OpenDJ Password Policy because of
|Comment by Kajetan Hemzaczek [ 28/Feb/18 ]|
There is also a simplified version of this Configuration.
In 4 execute privilege1.ldif
In 5 Modify “embedded” “Data Store”.
If instead of the new “openamAdmin” user default “Directory Manager” is used, “PASSWORD MUST BE RESET” page is displayed.