[midPoint] Error with midpoint.createPasswordResetLink()
Pascal Perichon
pascal.perichon at u-paris.fr
Tue May 26 15:18:22 CEST 2020
hello,
The function midpoint.createPasswordResetLink() use a token created with
the password policy rules.
In our password policy we use some characters that are problematic for
URL. For example I had a reset password link like this (generated by
midpoint) :
https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au,O+O
When I use this link, I have a message from midpoint : "Invalid username
and/or password.", and it seems to be normal (special characters in the
query).
Of course when I encode manually the query part :
https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au%2CO%2BO
then midpoint works perfectly and I can reset the password.
Unfortunatly, the functions in the midpoint library used in
createPasswordResetLink() are private.
So the only way to have a valid URL link is to have a second password
policy for the nonce without reserved characters for URL, or to break
the URL in a groovy script to catch the query parameters and encode it :
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
url = midpoint.createPasswordResetLink(user);
splitUrl = url.split(SchemaConstants.TOKEN + "=", -1);
link = splitUrl[0] + SchemaConstants.TOKEN + '=' +
URLEncoder.encode(splitUrl[1], StandardCharsets.UTF_8 as String);
We don't want to manage 2 password policies, so this groovy script is
the right way to do ? (or maybe it miss an encoding step in the private
midpoint library function "createTokenConfirmationLink" ??)
(Yes the groovy script is fragile is something changes in future release
of midpoint library functions)
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200526/717c0a4c/attachment.htm>
More information about the midPoint
mailing list