[OPENIDM-7108] Password Reset Token issued by one process cannot be validated by a different process Created: 15/Nov/16  Updated: 24/May/17  Resolved: 09/Mar/17

Status: Closed
Project: OpenIDM
Component/s: Module - SelfService
Affects Version/s: OpenIDM 4.0.0, OpenIDM 4.5.0, OpenIDM 5.0.0, OpenIDM 5.5.0
Fix Version/s: OpenIDM 5.0.0, OpenIDM 5.5.0

Type: Bug Priority: Blocker
Reporter: Chris Drake Assignee: Brendan Miller
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is backported by OPENIDM-7411 Backport OPENIDM-7108: Password Reset... Closed
Target Version/s:
Verified Version/s:
Story Points: 3
Sprint: OpenIDM Sprint 69
Cases: 16515
Support Ticket IDs:

  1. Start instance of OpenIDM 5.0.0-SNAPSHOT
  2. Configure Outbound Email Service
  3. Configure Password Reset
  4. Create a Managed User w/Password
  5. Login as the newly create Managed User and configure Security Answers
  6. Logout and initiate Password Reset flow
  7. After receiving the Password Reset email with token
    1. Shutdown the OpenIDM instance
    2. Re-start the OpenIDM instannce
  8. Click the Password Reset link to initiate the Reset

Validation of the Password Reset token will fail with the following:

Caused by: org.forgerock.json.jose.exceptions.JweDecryptionException: Decryption failed
       	at org.forgerock.json.jose.jwe.handlers.encryption.AbstractEncryptionHandler.decrypt(AbstractEncryptionHandler.java:109)
       	at org.forgerock.json.jose.jwe.handlers.encryption.AbstractRSAESPkcs1V15AesCbcHmacEncryptionHandler.decryptContentEncryptionKey(AbstractRSAESPkcs1V15AesCbcHmacEncryptionHandler.java:206)
       	at org.forgerock.json.jose.jwe.handlers.encryption.RSA15AES128CBCHS256EncryptionHandler.decryptContentEncryptionKey(RSA15AES128CBCHS256EncryptionHandler.java:28)
       	at org.forgerock.json.jose.jwe.EncryptedJwt.decrypt(EncryptedJwt.java:182)
       	at org.forgerock.json.jose.jws.SignedEncryptedJwt.decrypt(SignedEncryptedJwt.java:85)
       	at org.forgerock.selfservice.stages.tokenhandlers.JwtTokenHandler.validateAndExtractClaims(JwtTokenHandler.java:142)
       	at org.forgerock.selfservice.stages.tokenhandlers.JwtTokenHandler.validateAndExtractState(JwtTokenHandler.java:124)
       	... 111 more

The same problem exists if you attempt to use the Password Reset token on a cluster node other than the one which generated the token.

Comment by Mark Gibson [ 21/Nov/16 ]

validated with OpenIDM 5.5.0-SNAPSHOT (0aaeb90)

Comment by Laurent Bristiel [X] (Inactive) [ 23/Nov/16 ]

checked OK in OpenIDM version "5.0.0-SNAPSHOT" (revision: 8f49dc7)

Comment by Lana Frost [ 09/Mar/17 ]

Reopening to add to release notes

Comment by Seyed Hossein Ahmadinejad [X] (Inactive) [ 24/May/17 ]

I still have this issue in a cluster when a pass reset token is used by a node other than the one that generated it.

Comment by Seyed Hossein Ahmadinejad [X] (Inactive) [ 24/May/17 ]

I am sorry. I posted this in a wrong place. 

Generated at Thu Aug 22 01:15:07 BST 2019 using Jira 7.13.5#713005-sha1:8d78f1047b9cca7d35d4d13f706b37e27d869e07.