Solutions
Archived

400 response using REST API to update a user's password in OpenAM 11.0.0, 11.0.1, 11.0.2 and 12.0.0

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter a 400 Bad Request: Invalid Password response when using the REST API to update a user's password in OpenAM 11.0.0, 11.0.1, 11.0.2 and 12.0.0, even though the old user password submitted is valid. This issue occurs when you have an authentication chain that requires more than a username and password to authenticate and uses a module such as the Adaptive Risk module.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following response is received when updating a user's password using the REST API, even though the old user password submitted is valid:

{"code":400,"reason":"Bad Request","message":"Invalid Password"}

Recent Changes

Upgraded to OpenAM 11.0.0, 11.0.1, 11.0.2 or 12.0.0.

Implemented an authentication chain that requires more than a username and password to authenticate, for example, requires a historical IP address for the Adaptive Risk module.

Causes

The password validation mechanism (using the IdentityResource#checkValidPassword method) tries to authenticate the user in the realm using the default chain for the realm; this fails when the REST call is made if authentication requires anything more than the username and password (olduserpassword) because the REST interface does not have access to the authentication context. Therefore, this error is received regardless of whether the olduserpassword is correct or not.

Solution

This issue can be resolved by upgrading to OpenAM 11.0.3, or OpenAM 12.0.1 or later; you can download this from BackStage.

Alternatively, you could remove the additional authentication steps from the authentication chain, for example, remove the Adaptive Risk module. However this approach is not recommended as you will lose the functionality associated with the additional authentication steps.

See Also

OpenAM Developer's Guide › RESTful Identity and Realm Management Services › Updating Identities

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3877 (Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.