<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>hello,</p>
    <p>The function midpoint.createPasswordResetLink() use a token
      created with the password policy rules.</p>
    <p>In our password policy we use some characters that are
      problematic for URL. For example I had a reset password link like
      this (generated by midpoint) :</p>
    <p>   
<a class="moz-txt-link-freetext" href="https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au,O+O">https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au,O+O</a></p>
    <p>When I use this link, I have a message from midpoint : "Invalid
      username and/or password.", and it seems to be normal (special
      characters in the query).</p>
    <p>Of course when I encode manually the query part :</p>
    <p>   
<a class="moz-txt-link-freetext" href="https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au%2CO%2BO">https://midpoint-test.u-paris.fr/midpoint/confirm/reset?user=jsmith&token=uWU9Y3Au%2CO%2BO</a></p>
    <p>then midpoint works perfectly and I can reset the password.</p>
    <p>Unfortunatly, the functions in the midpoint library used in
      createPasswordResetLink() are private. <br>
    </p>
    <p>So the only way to have a valid URL link is to have a second
      password policy for the nonce without reserved characters for URL,
      or to break the URL in a groovy script to catch the query
      parameters and encode it :<br>
    </p>
    <span class="js-keyword">     import </span><span
      class="js-variable">java</span><span class="js-punctuation">.</span><span
      class="js-property">net</span><span class="js-punctuation">.</span><span
      class="js-property">URLEncoder</span><span class="js-punctuation">;</span><br>
    <span class="js-keyword">     import </span><span
      class="js-variable">java</span><span class="js-punctuation">.</span><span
      class="js-property">nio</span><span class="js-punctuation">.</span><span
      class="js-property">charset</span><span class="js-punctuation">.</span><span
      class="js-property">StandardCharsets</span><span
      class="js-punctuation">;</span><br>
    <span class="js-punctuation"><span class="js-keyword">     import
        com.evolveum.midpoint.schema.constants.SchemaConstants;</span></span><br>
    <br>
    <span class="js-punctuation">     url =
      midpoint.createPasswordResetLink(user);</span><br>
         <span class="js-punctuation"></span><span class="js-variable">splitUrl
    </span><span class="js-operator">= </span><span class="js-variable">url</span><span
      class="js-punctuation">.</span><span class="js-property">split</span><span
      class="js-punctuation">(</span><span class="pl-smi">SchemaConstants</span><span
      class="pl-c1"><span class="pl-k">.</span>TOKEN</span> <span
      class="pl-k">+</span> <span class="pl-s"><span class="pl-pds">"</span>=<span
        class="pl-pds">"</span></span><span class="js-string"></span><span
      class="js-punctuation">, -1)</span><span class="js-punctuation">;</span><br>
    <span class="js-variable"><span class="js-punctuation">     link</span>
    </span><span class="js-operator">= </span><span class="js-variable">splitUrl</span><span
      class="js-punctuation">[</span><span class="js-atom">0</span><span
      class="js-punctuation">] </span><span class="js-operator">+ </span><span
      class="js-string"><span class="pl-smi">SchemaConstants</span><span
        class="pl-c1"><span class="pl-k">.</span>TOKEN + </span>'=' </span><span
      class="js-operator">+ </span><span class="js-variable">URLEncoder</span><span
      class="js-punctuation">.</span><span class="js-property">encode</span><span
      class="js-punctuation">(</span><span class="js-variable">splitUrl</span><span
      class="js-punctuation">[</span><span class="js-atom">1</span><span
      class="js-punctuation">]</span><span class="js-punctuation">, </span><span
      class="js-variable">StandardCharsets</span><span
      class="js-punctuation">.</span><span class="js-property">UTF_8 </span><span
      class="js-keyword">as </span><span class="js-variable">String</span><span
      class="js-punctuation">)</span><span class="js-punctuation">;</span>
    <p>We don't want to manage 2 password policies, so this groovy
      script is the right way to do ? (or maybe it miss an encoding step
      in the private midpoint library function "<span class="pl-en">createTokenConfirmationLink</span>"
      ??)</p>
    <p>(Yes the groovy script is fragile is something changes in future
      release of midpoint library functions)<br>
    </p>
    <p>Thanks<br>
      <span class="js-variable"></span></p>
  </body>
</html>