<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Brad,</p>
<p>last year I had to fix a (maybe) related issue in password
security questions reset mechanism: <a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.
Maybe you could try to download and use the current code in
support-3.9 branch; there's a slight chance the fix will help also
in your case.</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 24.05.2019 21:29, Brad Firestone
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:86987a06-107a-b2a6-80fe-0b33fd61fc22@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi All,<br>
<br>
I'm trying to setup password reset using email on a new system
(3.9). I've copied files from a working system (3.8), and also
compared them with the samples. I will include my configs below.<br>
<br>
Clicking "Forgot Password" displays the correct form to enter the
email address. Submitting shows success and I receive the email
with a link. Clicking the link opens a browser window that
displays the regular login screen, not the password page as would
be expected.<br>
<br>
The link looks like this (email address changed):<br>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://id.nazarene.org/confirm/reset?user=bfirestone@globalnaz.org&token=7135096842" moz-do-not-send="true">https://id.example.com/confirm/reset?user=test@example.com&token=7135096842</a></pre>
<br>
The log shows:<br>
DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied
access to FilterInvocation: URL: /self/dashboard by anonymousUser
: Not logged in<br>
<br>
I don't have any idea why the nonce token isn't authenticating
correctly. If anyone has any ideas, I'd appreciate it.<br>
Thanks!<br>
Brad<br>
<br>
Global Security Policy:<br>
<securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753" <br>
xmlns='<a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'><br>
<name>Our Global Security Policy</name><br>
<authentication><br>
<mailAuthentication><br>
<name>confirmationLink</name><br>
<displayName>Additional mail
authnetication</displayName><br>
<mailNonce>mailNonce</mailNonce><br>
</mailAuthentication><br>
</authentication><br>
<credentials><br>
<password><br>
<maxAge>P1000D</maxAge><br>
<lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts><br>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration><br>
<lockoutDuration>PT15M</lockoutDuration><br>
<historyLength>1</historyLength><br>
<valuePolicyRef
oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
type="ValuePolicyType"></valuePolicyRef><br>
<propagationUserControl>mapping</propagationUserControl><br>
</password><br>
<nonce><br>
<maxAge>PT2H</maxAge><br>
<name>mailNonce</name><br>
<valuePolicyRef
oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
type="ValuePolicyType"></valuePolicyRef><br>
</nonce><br>
</credentials><br>
<credentialsReset><br>
<mailReset><br>
<name>Reset password using mail</name><br>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName><br>
</mailReset><br>
</credentialsReset><br>
</securityPolicy><br>
<br>
Nonce Value Policy:<br>
<valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"<br>
xmlns=<a class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
<name>Nonce Value Policy</name><br>
<description>Value policy for mail-based password reset
nonce</description><br>
<stringPolicy><br>
<limitations><br>
<minLength>10</minLength><br>
<limit><br>
<description>Numbers</description><br>
<minOccurs>10</minOccurs><br>
<maxOccurs>10</maxOccurs><br>
<mustBeFirst>false</mustBeFirst><br>
<characterClass><br>
<value>1234567890</value><br>
</characterClass><br>
</limit><br>
</limitations><br>
</stringPolicy><br>
</valuePolicy><br>
<br>
System Config - Password notifier:<br>
<passwordResetNotifier><br>
<recipientExpression><br>
<script><br>
<code>return
requestee.getEmailAddress()</code><br>
</script><br>
</recipientExpression><br>
<bodyExpression><br>
<script><br>
<code><br>
<br>
import
com.evolveum.midpoint.notifications.api.events.ModelEvent<br>
modelEvent = (ModelEvent) event<br>
newUser =
modelEvent.getFocusContext().getObjectNew();<br>
userType = newUser.asObjectable();<br>
<br>
link = midpoint.createPasswordResetLink(userType)<br>
bodyMessage = "A password reset has been requested
for your Account. Please click on the link below to complete the
password reset. The link will be valid for 2
hours. " +<br>
"Here is your password reset link:\n" + link<br>
<br>
return bodyMessage;<br>
</code><br>
</script><br>
</bodyExpression><br>
<transport>mail</transport><br>
<br>
</passwordResetNotifier><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>