[midPoint] [Midpoint 4.4]Questions regarding the reset password functionality.

Thu Jan 27 14:55:10 CET 2022

Hello.

I currently have a midpoint 4.4 using several notifiers inherited from midpoint 4.0.1.

In the SystemConfiguration they are like this :
<handler>
            <name>Handler for password reinint</name>
            <passwordResetNotifier>
                <recipientExpression>
                    <script>
                        <code>
                            return requestee.getEmailAddress();
                        </code>
                    </script>
                </recipientExpression>
                <subjectExpression>
                    <value>...</value>
                </subjectExpression>
                <fromExpression>
                    <value>no-reply at dummy.netr</value>
                </fromExpression>
                <bodyExpression>
                    <script>
                        <code>
                            [snip]
                        </code>
                    </script>
                </bodyExpression>
                <transport>mail</transport>
                <transport>file:filename</transport>
            </passwordResetNotifier>
        </handler>

In the globalSecurityPolicy :
For user activation with confirmation link:
    <authentication>
        <mailAuthentication>
            <displayName>Additionnal authentication Mail</displayName>
            <name>confirmationLink</name>
            <mailNonce>mailNonce</mailNonce>
        </mailAuthentication>
    </authentication>

And for the password reset with a form:
    <credentialsReset>
        <mailReset>
            <name>Reset password using mail</name>
            <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
            <formRef oid="[...]" relation="org:default" type="c:FormType"></formRef>
        </mailReset>
    </credentialsReset>

Currently when the reset password form is using the Form, nothing happens.
When the confirmation link is used, a message saying that it is not possible to reset passwords is displayed.
No logs are written in the code sections (I used the log.info()) , I assume the handler is not called

I tried to activate the traces, so I put the Notification logger and Autorization (SecurityEnforcerImpl) to the trace level.,
Among the useless traces I found this interesting one :
2022-01-26 16:25:36,158 [] [midPointScheduler_Worker-1] TRACE (com.evolveum.midpoint.notifications.impl.handlers.AggregatedEventHandler): Starting processing event TaskEventImpl(1643210736156-0-1) with handler < Handler for password reinint>
  parameters:
  configuration: com.evolveum.midpoint.xml.ns._public.common.common_3.EventHandlerType at 39cb9d1b[accountActivationNotifier=<null>,accountPasswordNotifier=<null>,category=<null>,chained=<null>,customNotifier=<null>,description=<null>,documentation=<null>,expressionFilter=<null>,focusType=<null>,forked=<null>,generalNotifier=<null>,name= Handler for password reinint,objectIntent=<null>,objectKind=<null>,operation=<null>,passwordResetNotifier=[com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordResetNotifierType at 4c26341a[confirmationMethod=<null>,attachment=<null>,attachmentExpression=<null>,bccExpression=<null>,bodyExpression=com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType at 6fb465f0[allowEmptyValues=<null>,description=<null>,documentation=<null>,expressionEvaluator=[javax.xml.bind.JAXBElement at 3567d118],extension=<null>,name=<null>,parameter=<null>,queryInterpretationOfNoValue=<null>,returnMultiplicity=<null>,returnType=<null>,runAsRef=<null>,stringFilter=<null>,trace=<null>,variable=<null>],ccExpression=<null>,contentType=<null>,contentTypeExpression=<null>,fromExpression=com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType at 50a1b1ea[allowEmptyValues=<null>,description=<null>,documentation=<null>,expressionEvaluator=[javax.xml.bind.JAXBElement at 2d5ac900],extension=<null>,name=<null>,parameter=<null>,queryInterpretationOfNoValue=<null>,returnMultiplicity=<null>,returnType=<null>,runAsRef=<null>,stringFilter=<null>,trace=<null>,variable=<null>],recipientExpression=[com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType at 618da2be[allowEmptyValues=<null>,description=<null>,documentation=<null>,expressionEvaluator=[javax.xml.bind.JAXBElement at 6a694086],extension=<null>,name=<null>,parameter=<null>,queryInterpretationOfNoValue=<null>,returnMultiplicity=<null>,returnType=<null>,runAsRef=<null>,stringFilter=<null>,trace=<null>,variable=<null>]],showModifiedValues=<null>,showTechnicalInformation=<null>,subjectExpression=com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType at 379a92c0[allowEmptyValues=<null>,description=<null>,documentation=<null>,expressionEvaluator=[javax.xml.bind.JAXBElement at 4cf34ffa],extension=<null>,name=<null>,parameter=<null>,queryInterpretationOfNoValue=<null>,returnMultiplicity=<null>,returnType=<null>,runAsRef=<null>,stringFilter=<null>,trace=<null>,variable=<null>],subjectPrefix=<null>,transport=[mail, file:changement_mot_de_passe<file://changement_mot_de_passe>],watchAuxiliaryAttributes=<null>,accountActivationNotifier=<null>,accountPasswordNotifier=<null>,category=<null>,chained=<null>,customNotifier=<null>,description=<null>,documentation=<null>,expressionFilter=<null>,focusType=<null>,forked=<null>,generalNotifier=<null>,name=<null>,objectIntent=<null>,objectKind=<null>,operation=<null>,passwordResetNotifier=<null>,simpleCampaignNotifier=<null>,simpleCampaignStageNotifier=<null>,simpleCaseManagementNotifier=<null>,simpleFocalObjectNotifier=<null>,simplePolicyRuleNotifier=<null>,simpleReportNotifier=<null>,simpleResourceObjectNotifier=<null>,simpleReviewerNotifier=<null>,simpleTaskNotifier=<null>,simpleUserNotifier=<null>,simpleWorkflowNotifier=<null>,status=<null>,timeValidityNotifier=<null>,userPasswordNotifier=<null>,userRegistrationNotifier=<null>]],simpleCampaignNotifier=<null>,simpleCampaignStageNotifier=<null>,simpleCaseManagementNotifier=<null>,simpleFocalObjectNotifier=<null>,simplePolicyRuleNotifier=<null>,simpleReportNotifier=<null>,simpleResourceObjectNotifier=<null>,simpleReviewerNotifier=<null>,simpleTaskNotifier=<null>,simpleUserNotifier=<null>,simpleWorkflowNotifier=<null>,status=<null>,timeValidityNotifier=<null>,userPasswordNotifier=<null>,userRegistrationNotifier=<null>]
2022-01-26 16:25:36,158 [] [midPointScheduler_Worker-1] TRACE (com.evolveum.midpoint.notifications.impl.EventHandlerRegistry): Not forwarding event TaskEventImpl{id=1643210736156-0-1,requester=SimpleObjectRef{oid='00000000-0000-0000-0000-000000000002', objectType=user:00000000-0000-0000-0000-000000000002(administrator)},requestee=SimpleObjectRef{oid='00000000-0000-0000-0000-000000000002', objectType=user:00000000-0000-0000-0000-000000000002(administrator)}} to handler com.evolveum.midpoint.notifications.impl.notifiers.PasswordResetNotifier at 4a141eaf<mailto:com.evolveum.midpoint.notifications.impl.notifiers.PasswordResetNotifier at 4a141eaf> because the handler does not support events of that type

I am not sure to have fully understood but it looks like passwordResetNotifier no longer exsists.
However according the midpoint documentation this property still exists : https://docs.evolveum.com/midpoint/reference/security/credentials/password-reset/
And in the javadoc also : https://www.evolveum.com/downloads/midpoint/4.4/midpoint-api-4.4-javadoc/com/evolveum/midpoint/xml/ns/_public/common/common_3/EventHandlerType.html

I took into account that  securityPolicy/authentication/mailAuthentication and securityPolicy/credentialsReset/mailReset' are depreccated and Fexible authentification should be used instead (but should be still present in 4.4)
Can this should explain the issues ?

Best regards,

[logo]<https://www.positivethinking.tech/>

Sébastien Marbrier  | Senior IT Consultant
smarbrier at positivethinking.tech<mailto:smarbrier at positivethinking.tech>

Tel. +41 21 601 81 00<tel:+41%2021%20601%2081%2000>

[Teams chat]<https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>
 <https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>
Chat with me on Teams<https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>

[LinkedIn]<https://www.linkedin.com/company/the-positive-thinking-company/>  [Instagram] <https://www.instagram.com/positivethinkingcompany/>   [Vimeo] <https://twitter.com/PTC_Tech>   [Vimeo] <https://youtube.com/channel/UCfaImWa6r0IoZoUYLhbiF7w>
Avenue de cour, 135 - 1007 Lausanne
www.positivethinking.tech<https://www.positivethinking.tech/>

________________________________
Help save paper, do you really need to print this email?
The content of this email and any attachments are confidential and are intended solely for the person and/or company to whom they are addressed. The information may also be legally privileged. No employee or agent is authorized to conclude any binding agreement on behalf of Positive Thinking Company with another party by email without express written confirmation. If you have received this email in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by return E-mail and delete this message, its attachments and all copies from your system. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Thank you for your cooperation.

________________________________
Positive Thinking Company puts security at a high priority in its conduct of business. Therefore, we have put our best efforts into ensuring that this email and its attached documents are error and virus-free. Nonetheless, full security of emails/documents cannot be ensured. Therefore, the recipient is responsible for checking the email/documents for threats with its own security measures, prior to opening it. Positive Thinking Company does not accept liability for any damage inflicted by using the content of this email/documents. If you are not the intended recipient, please notify the sender and delete this email/document.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7735 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 686 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2337 bytes
Desc: image003.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2756 bytes
Desc: image004.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2358 bytes
Desc: image005.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2669 bytes
Desc: image006.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220127/f148ab5e/attachment-0011.png>