[OPENAM-6867] changePassword REST endpoint is not returning LDAP issues that are related to a user mistake. Created: 16/Sep/15  Updated: 09/Aug/17  Resolved: 07/Jan/16

Status: Resolved
Project: OpenAM
Component/s: rest, XUI
Affects Version/s: 12.0.1, 13.0.0
Fix Version/s: 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: 13.0.0-Must-Fix, EDISON, release-notes, test-candidate
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENDJ-2299 ResultCode.valueOf throw java.lang.In... Done
duplicates OPENAM-6614 Generic error message received when t... Closed
relates to OPENAM-5562 Users can't change password via XUI/R... Resolved
relates to OPENAM-8174 OpenAM gives an Internal Server Error... Resolved
is related to OPENAM-3877 Changing password through new REST en... Resolved
is related to OPENAM-8074 Changing an user password with the sa... Resolved
Sprint: AM Sustaining Sprint 13, AM Sustaining Sprint 14, AM Sustaining Sprint 15, AM Sustaining Sprint 16
Epic Link: Password Policy Rationalization
Support Ticket IDs:
Verified Version/s:


Using the changePassword REST endpoint, via the XUI or the REST service directly, can throw an Internal Server Error:
Since OPENAM-3877, we abstract the LDAP error by an internal error, which is relevant for internal configuration issue that the user shouldn't be aware of, like

The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights

However, when the error is due to a user mistake, we still have an internal server error. In this case, it will be relevant to return the LDAP error to the user.

  • the user sent the wrong old password
  • the new password is not respecting the password policy (on DJ)

You can use this curl command:

curl \
 --request POST \
 --header "iPlanetDirectoryPro: AQIC5wM2LY4SfczOHXUv8Vw4ltNyM86ikW2ipB9RZEA8CRs.*AAJTSQACMDEAAlNLABQtNzMzMDMxMDQ2MDQxNjQ4NzU1NQ..*" \
 --header "Content-Type: application/json" \
 --data '{
 }' \

Instead of throwing an internal exception:

 public static void changePassword(Context serverContext, String realm, String username, String oldPassword,
            String newPassword) throws ResourceException {
        try {
            SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken();
            AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null);
            userIdentity.changePassword(oldPassword, newPassword);
        } catch (SSOException ssoe) {
            debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing "
                    + "the password for user: " + username, ssoe);
            throw new PermanentException(401, "An error occurred while trying to change the password", ssoe);
        } catch (IdRepoException ire) {
            if (IdRepoBundle.ACCESS_DENIED.equals(ire.getErrorCode())) {
                throw new ForbiddenException("The user is not authorized to change the password");
            } else {
                debug.warning("IdentityRestUtils.changePassword() :: IdRepoException occurred while "
                        + "changing the password for user: " + username, ire);
                throw new InternalServerErrorException("An error occurred while trying to change the password", ire);

we should throw a new type of exception that filter the LDAP exception that could be display to the user.

Comment by Tim Nicholls [X] (Inactive) [ 23/Sep/15 ]

Not much activity on this ticket. A little help here would be nice...

Comment by Jake Feasel [ 25/Sep/15 ]

It is worth checking to see if we can get this endpoint working with the amadmin account, too.

Comment by Quentin CASTEL [X] (Inactive) [ 25/Sep/15 ]

Jake Feasel: Can you describe a little bit more your expectation with this endpoint? Admin users are usually interested in resetting passwords (changing password will always require the old password). Maybe OPENAM-5695 fits better with your need?

Comment by Jake Feasel [ 25/Sep/15 ]

I am mainly trying to find out how amadmin changes/resets/updates (whatever you prefer to call it) their own password via rest.

Comment by Scott Heger [ 01/Oct/15 ]

I have a customer who is running into this issue as well. In their case they have a password policy in OpenDJ (their Data Store) that enforces a password history. If an authenticated user attempts to change their password to something in their history it fails and send back the following response:

{"code":500,"reason":"Internal Server Error","message":"An error occurred while trying to change the password"}

This is all done over REST and therefore the REST client where the password change was initiated from doesn't have enough information to tell the user why the password change failed. A more specific message here would be desired. Is there any traction on this issue?

Comment by Quentin CASTEL [X] (Inactive) [ 07/Jan/16 ]

OpenAM policy:

curl \
 --request POST \
 --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \
 --header "Content-Type: application/json" \
 --data '{
 }' \
{"code":400,"reason":"Bad Request","message":"Minimum password length is 8."}

I set a DJ min password length to 12.
DJ policy issue:

curl \
 --request POST \
 --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \
 --header "Content-Type: application/json" \
 --data '{
 }' \
{"code":400,"reason":"Bad Request","message":"Old password is incorrect."}
curl \
 --request POST \
 --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \
 --header "Content-Type: application/json" \
 --data '{
 }' \
{"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password is shorter than the minimum required length of 12 characters"}
Comment by Richard Hruza [ 11/Jan/16 ]

Was changed behavior for changing password request:

curl -X POST -H "iPlanetDirectoryPro: <USER TOKEN>" \
-H "Content-Type: application/json" \
-H "Cache-Control: no-cache" \
-d '{
    "currentpassword": "incorrectPassword",
    "userpassword": "newpassword"
}' 'http://riso-centos7.test.forgerock.com:8080/openam/json/users/bjensen?_action=changePassword'

Old behavior returns:

  "code": 401,
  "reason": "Unauthorized",
  "message": "Invalid user credentials."

New Behavior:

  "code": 400,
  "reason": "Bad Request",
  "message": "Old password is incorrect."

This case should be mentioned into release notes.

Comment by Quentin CASTEL [X] (Inactive) [ 27/Jan/16 ]

8074 is a use-case not handle by this fix. There is a good chance you are also interested by this one as well.

Comment by Richard Hruza [ 02/May/16 ]

Verified with: OpenAM 12.0.3-RC2 Build 4dbe218a05 (2016-April-25 17:57)


Old Behavior
  "code": 500,
  "reason": "Internal Server Error",
  "message": "An error occurred while trying to change the password"
Short Password
  "code": 400,
  "reason": "Bad Request",
  "message": "Minimum password length is 8."
Inccoret old password
  "code": 400,
  "reason": "Bad Request",
  "message": "Old password is incorrect."
Generated at Sat Oct 24 06:37:43 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.