<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello Brad,</p>
    <p>last year I had to fix a (maybe) related issue in password
      security questions reset mechanism: <a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.
      Maybe you could try to download and use the current code in
      support-3.9 branch; there's a slight chance the fix will help also
      in your case.</p>
    <p>Best regards,<br>
    </p>
    <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
    <div class="moz-cite-prefix">On 24.05.2019 21:29, Brad Firestone
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:86987a06-107a-b2a6-80fe-0b33fd61fc22@gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      Hi All,<br>
      <br>
      I'm trying to setup password reset using email on a new system
      (3.9).  I've copied files from a working system (3.8), and also
      compared them with the samples.  I will include my configs below.<br>
      <br>
      Clicking "Forgot Password" displays the correct form to enter the
      email address.  Submitting shows success and I receive the email
      with a link.  Clicking the link opens a browser window that
      displays the regular login screen, not the password page as would
      be expected.<br>
      <br>
      The link looks like this (email address changed):<br>
      <pre wrap=""><a class="moz-txt-link-freetext" href="https://id.nazarene.org/confirm/reset?user=bfirestone@globalnaz.org&token=7135096842" moz-do-not-send="true">https://id.example.com/confirm/reset?user=test@example.com&token=7135096842</a></pre>
      <br>
      The log shows:<br>
      DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied
      access to FilterInvocation: URL: /self/dashboard by anonymousUser
      : Not logged in<br>
      <br>
      I don't have any idea why the nonce token isn't authenticating
      correctly.  If anyone has any ideas, I'd appreciate it.<br>
      Thanks!<br>
      Brad<br>
      <br>
      Global Security Policy:<br>
      <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753" <br>
          xmlns='<a class="moz-txt-link-freetext"
        href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'><br>
          <name>Our Global Security Policy</name><br>
          <authentication><br>
              <mailAuthentication><br>
                  <name>confirmationLink</name><br>
                  <displayName>Additional mail
      authnetication</displayName><br>
                  <mailNonce>mailNonce</mailNonce><br>
              </mailAuthentication><br>
          </authentication><br>
          <credentials><br>
              <password><br>
                  <maxAge>P1000D</maxAge><br>
                 
      <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts><br>
                 
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration><br>
                  <lockoutDuration>PT15M</lockoutDuration><br>
                  <historyLength>1</historyLength><br>
                  <valuePolicyRef
      oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
      type="ValuePolicyType"></valuePolicyRef><br>
                 
      <propagationUserControl>mapping</propagationUserControl><br>
              </password><br>
              <nonce><br>
                  <maxAge>PT2H</maxAge><br>
                  <name>mailNonce</name><br>
                  <valuePolicyRef
      oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
      type="ValuePolicyType"></valuePolicyRef><br>
              </nonce><br>
          </credentials><br>
          <credentialsReset><br>
              <mailReset><br>
                  <name>Reset password using mail</name><br>
                 
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName><br>
              </mailReset><br>
          </credentialsReset><br>
      </securityPolicy><br>
      <br>
      Nonce Value Policy:<br>
      <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"<br>
                   xmlns=<a class="moz-txt-link-rfc2396E"
        href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
          <name>Nonce Value Policy</name><br>
          <description>Value policy for mail-based password reset
      nonce</description><br>
          <stringPolicy><br>
              <limitations><br>
                  <minLength>10</minLength><br>
                  <limit><br>
                      <description>Numbers</description><br>
                      <minOccurs>10</minOccurs><br>
                      <maxOccurs>10</maxOccurs><br>
                      <mustBeFirst>false</mustBeFirst><br>
                      <characterClass><br>
                          <value>1234567890</value><br>
                      </characterClass><br>
                  </limit><br>
              </limitations><br>
          </stringPolicy><br>
      </valuePolicy><br>
      <br>
      System Config - Password notifier:<br>
      <passwordResetNotifier><br>
              <recipientExpression><br>
              <script><br>
                  <code>return
      requestee.getEmailAddress()</code><br>
              </script><br>
              </recipientExpression><br>
              <bodyExpression><br>
              <script><br>
                  <code><br>
                             <br>
                      import
      com.evolveum.midpoint.notifications.api.events.ModelEvent<br>
                      modelEvent = (ModelEvent) event<br>
                      newUser =
      modelEvent.getFocusContext().getObjectNew();<br>
                      userType = newUser.asObjectable();<br>
           <br>
                      link = midpoint.createPasswordResetLink(userType)<br>
                      bodyMessage = "A password reset has been requested
      for your Account.  Please click on the link below to complete the
      password reset. The link will                 be valid for 2
      hours. " +<br>
                      "Here is your password reset link:\n" + link<br>
                 <br>
                      return bodyMessage;<br>
                  </code><br>
              </script><br>
              </bodyExpression><br>
              <transport>mail</transport><br>
      <br>
          </passwordResetNotifier><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
  </body>
</html>