[midPoint] Trouble with Password Mail Reset

Pavol Mederly mederly at evolveum.com
Sat May 25 11:25:23 CEST 2019 

Hello Brad,

last year I had to fix a (maybe) related issue in password security 
questions reset mechanism: 
https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9. 
Maybe you could try to download and use the current code in support-3.9 
branch; there's a slight chance the fix will help also in your case.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 24.05.2019 21:29, Brad Firestone wrote:
> Hi All,
>
> I'm trying to setup password reset using email on a new system (3.9).  
> I've copied files from a working system (3.8), and also compared them 
> with the samples.  I will include my configs below.
>
> Clicking "Forgot Password" displays the correct form to enter the 
> email address.  Submitting shows success and I receive the email with 
> a link.  Clicking the link opens a browser window that displays the 
> regular login screen, not the password page as would be expected.
>
> The link looks like this (email address changed):
> https://id.example.com/confirm/reset?user=test@example.com&token=7135096842
>
> The log shows:
> DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied access 
> to FilterInvocation: URL: /self/dashboard by anonymousUser : Not logged in
>
> I don't have any idea why the nonce token isn't authenticating 
> correctly.  If anyone has any ideas, I'd appreciate it.
> Thanks!
> Brad
>
> Global Security Policy:
> <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753"
>     xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
>     <name>Our Global Security Policy</name>
>     <authentication>
>         <mailAuthentication>
>             <name>confirmationLink</name>
>             <displayName>Additional mail authnetication</displayName>
>             <mailNonce>mailNonce</mailNonce>
>         </mailAuthentication>
>     </authentication>
>     <credentials>
>         <password>
>             <maxAge>P1000D</maxAge>
> <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>             <lockoutDuration>PT15M</lockoutDuration>
>             <historyLength>1</historyLength>
>             <valuePolicyRef oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048" 
> type="ValuePolicyType"></valuePolicyRef>
> <propagationUserControl>mapping</propagationUserControl>
>         </password>
>         <nonce>
>             <maxAge>PT2H</maxAge>
>             <name>mailNonce</name>
>             <valuePolicyRef oid="b67275c4-735c-11e9-aa36-335e84f81ac6" 
> type="ValuePolicyType"></valuePolicyRef>
>         </nonce>
>     </credentials>
>     <credentialsReset>
>         <mailReset>
>             <name>Reset password using mail</name>
> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
>         </mailReset>
>     </credentialsReset>
> </securityPolicy>
>
> Nonce Value Policy:
> <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
>              
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>     <name>Nonce Value Policy</name>
>     <description>Value policy for mail-based password reset 
> nonce</description>
>     <stringPolicy>
>         <limitations>
>             <minLength>10</minLength>
>             <limit>
>                 <description>Numbers</description>
>                 <minOccurs>10</minOccurs>
>                 <maxOccurs>10</maxOccurs>
>                 <mustBeFirst>false</mustBeFirst>
>                 <characterClass>
>                     <value>1234567890</value>
>                 </characterClass>
>             </limit>
>         </limitations>
>     </stringPolicy>
> </valuePolicy>
>
> System Config - Password notifier:
> <passwordResetNotifier>
>         <recipientExpression>
>         <script>
>             <code>return requestee.getEmailAddress()</code>
>         </script>
>         </recipientExpression>
>         <bodyExpression>
>         <script>
>             <code>
>
>                 import 
> com.evolveum.midpoint.notifications.api.events.ModelEvent
>                 modelEvent = (ModelEvent) event
>                 newUser = modelEvent.getFocusContext().getObjectNew();
>                 userType = newUser.asObjectable();
>
>                 link = midpoint.createPasswordResetLink(userType)
>                 bodyMessage = "A password reset has been requested for 
> your Account.  Please click on the link below to complete the password 
> reset. The link will                 be valid for 2 hours. " +
>                 "Here is your password reset link:\n" + link
>
>                 return bodyMessage;
>             </code>
>         </script>
>         </bodyExpression>
>         <transport>mail</transport>
>
>     </passwordResetNotifier>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190525/fa685eec/attachment.htm>

More information about the midPoint mailing list