Secure Password Changes
Changing passwords can expose a server to potential security risks. An insecure password reset process can allow attackers to reset the passwords of other users in order to bypass authentication and gain access to user accounts.
Reauthentication forces users or clients to confirm their identity even this identity was verified previously. When passwords are changed over REST, using a PUT or PATCH request, IDM requires the X-OpenIDM-Reauth-Password
header. If this header is absent, the server returns a 403
error.
For example, the following password change request fails:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --header "If-Match: *" \ --request PUT \ --data '{ "userName": "bjensen", "givenName": "Babs", "sn": "Jensen", "mail": "babs.jensen@example.com", "telephoneNumber": "555-123-1234", "password": "NewPassw0rd" }' \ https://localhost:8443/openidm/managed/user/0638da14-e02e-4904-9076-b8ce8f700eb4
{ "code": 403, "reason": "Forbidden", "message": "Access denied" }
The same request, including the X-OpenIDM-Reauth-Password
header, succeeds:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --header "X-OpenIDM-Reauth-Password: Passw0rd" \ --header "If-Match: *" \ --request PUT \ --data '{ "userName": "bjensen", "givenName": "Babs", "sn": "Jensen", "mail": "babs.jensen@example.com", "telephoneNumber": "555-123-1234", "password": "NewPassw0rd" }' \ https://localhost:8443/openidm/managed/user/0638da14-e02e-4904-9076-b8ce8f700eb4
{ "_id": "0638da14-e02e-4904-9076-b8ce8f700eb4", "_rev": "00000000fa190282", "userName": "bjensen", "givenName": "Babs", "sn": "Jensen", "mail": "babs.jensen@example.com", "telephoneNumber": "555-123-1234", ... }