[OPENAM-5159] Request to improve REST forgotPasswordReset page flow Created: 30/Nov/14  Updated: 07/Dec/20  Resolved: 09/Mar/18

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 11.0.2
Fix Version/s: 6.0.0

Type: Improvement Priority: Major
Reporter: Sachiko Wallace Assignee: Kajetan Hemzaczek
Resolution: Fixed Votes: 4
Labels: AME, Must-Fix, TESLA
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: File 6.sh     File 6privilege.sh     File privilege.ldif     File privilege1.ldif    
Issue Links:
is duplicated by OPENAM-6618 OpenAM "Forgot Password" makes the us... Resolved
relates to OPENAM-17157 Password reset via admin console with... Open
relates to OPENAM-6675 OpenAM 11.0.2 and 11.0.3 (non XUI GUI... Resolved
is related to OPENAM-3877 Changing password through new REST en... Resolved
is related to OPENAM-5158 PWResetQuestion is using hard coded a... Closed
is related to OPENAM-12517 Docs - Request to improve REST forgot... Resolved
OPENAM-12483 Review DoD Technical task Closed  
Target Version/s:
Rank: 1|hzv727:
Sprint: Zelda - Team Tesla 2018.2, Angband - Team Tesla 2018.3
Story Points: 5
Epic Link: Password Policy Rationalization
Support Ticket IDs:


If OpenAM user datastore is OpenDJ and if OpenDJ has password policy with "force-change-on-reset" is set to true, then OpenDJ will return error upon user's next login and user will be forced to change their password whenever an user's password is changed by admin users.

Unfortunately, this OpenDJ Password Policy doesn't work well with JSON REST "_action=forgotPasswordReset" since it gives user a false perspective that a password has been reset and they can login using the specified password (REST), but in reality they will be asked to change their password again (OpenDJ password policy).

The flow is as follows :
1. use dsconfig command to set "force-change-on-reset: true" for Default Password Policy
2. run forgotPassword command and retrieve confirmationId and tokenId

curl \
 --request POST \
 --header "Content-Type: application/json" \
 --data '{
   "username": "testuser01",
   "subject": "Reset your forgotten password with OpenAM",
   "message": "Follow this link to reset your password"
 }' \

3. use confirmationId and tokenId to set new password

curl \
 --request POST \
 --header "Content-Type: application/json" \
 --data '{
 }' \

This make user think that they can now use new password "cangetin" to login to openAM server. However, because of OpenDJ's Default Password Policy, the user will be forced to change their password again upon next login. This is because forgotPasswordReset (IdentityResource.java) will change user's password as admin so OpenDJ will set "pwdReset:true" to user's entry.

This extra step is confusing for users and therefore OpenDJ and OpenAM needs to find a way to work seamlessly.

Comment by Sachiko Wallace [ 30/Nov/14 ]

NOTE: user is forced to set force-change-on-reset: true on OpenDJ Password Policy because of OPENAM-5158

Comment by Kajetan Hemzaczek [ 28/Feb/18 ]

Replication steps:

Login as amadmin and
1 Turn on User Self Service.
Go to “Configure->GlobalServices->User Self-Service”
On “General Configuration” tab
“Encryption Key Pair Alias”: “selfserviceenctest”,
“Signing Secret Key Alias”: “selfservicesigntest”. Press “Save Changes” button. On “Forgotten Password” tab enable “Forgotten Password”. Press “Save Changes” button.
2 In the root realm create the “Email Service”.
Go to “Services->Add a Service->Email Service”
“Mail Server Host Name”: “smtp.gmail.com”,
“Mail Server Authentication Username”: “john.smith@gmail.com”,
“Mail Server Authentication Password”: “valid password”,
“Email From Address”: “a@b.com”
Press “Create” button and then “Save Changes” button.
3 Add email address to “demo” user.
Go to “Identities-> demo”.
“Email Address”: “john.smith@gmail.com”. Press “Save Changes” button.
4 Execute ldapmodify on embedded DJ with privilege.ldif file. (see 6privilege.sh)
It creates uid=openamAdmin,ou=people,dc=openam,dc=forgerock,dc=org user which has “proxied-auth” privilege and “userPassword”: “password”.
5 Modify “embedded” “Data Store”.
Go to “Data Stores->embedded”
On “Server Settings” tab
“LDAP Bind DN”: “uid=openamAdmin,ou=people,dc=openam,dc=forgerock,dc=org”,
“LDAP Bing Password”: “password”, "Proxied Authentication using Bind DN": true. Press “Save Changes” button.
6 Create “test” chain with “LDAP” module.
Go to “Authentication->Chains->Add Chain”.
“Name”: “test”. Press “Create” button.
On the next page press “Add a Module” and then
“Select Module”: “LDAP”, “Select Criteria”: “Required”. Press “OK” button and then “Save Changes” button.
7 Modify “LDAP” module.
Go to “Authentication->Modules->LDAP”
“Bind User DN”: “uid=openamAdmin,ou=people,dc=openam,dc=forgerock,dc=org”
“Bind User Password”: “password”
“Bind User DN”: “cn=Directory Manager”
“Bind User Password”: relevant password
Press “Save Changes” button.
8 Modify Password Policy
set force-change-on-reset:true (see 6.sh)


There is also a simplified version of this Configuration.

In 4 execute privilege1.ldif

In 5 Modify “embedded” “Data Store”.
Go to “Data Stores->embedded”
On “Server Settings” tab
"Proxied Authentication using Bind DN": true. Press “Save Changes” button.


The Flow:
On the “Login Page” choose “Forgot Password?”
On the next page “Username”: “demo”
and then press “Submit” button.
The next page should show “An email has been sent to the address you entered. Click the link in that email to proceed.”
Go to email press the link and and on the next page change the password (at least 8 character required). After successful change “Your password has been successfully reset. ” is shown.
Login to “test” chain “User name”: “demo”, “Password”: newly created password.
The users “demo” “User Profile” page is shown.

If instead of the new “openamAdmin” user default “Directory Manager” is used, “PASSWORD MUST BE RESET” page is displayed.

Generated at Wed Feb 24 17:40:27 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.