How does a user change their own password in OpenIDM 2.x using the REST API?
The purpose of this article is to provide information on how a user can change their own password in OpenIDM 2.x using the REST API. The method varies slightly if OpenIDM is protected by OpenAM as the user must first authenticate before they can change their password.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Changing a user's own password
The following command can be used by a user to change their own password:
$ curl -H "X-OpenIDM-Username: jdoe" -H "X-OpenIDM-Password: OldPassword" -H "X-OpenIDM-Reauth-Password:OldPassword" -X POST -d '[{"replace":"password", "value":"NewPassw0rd"}]' "http://localhost:8080/openidm/managed/user/jdoe?_action=patch"Changing a user's own password when OpenIDM is protected by OpenAM
When a user changes their own password where OpenIDM is protected by OpenAM, they must explicitly pass their authenticated credentials as follows:
- Use curl to authenticate to OpenAM as described in OpenAM Developer's Guide › Developing Client Applications › Authentication & Logout. For example: $ curl -X POST -H "X-OpenAM-Username: jdoe" -H "X-OpenAM-Password: OldPassword" -H "Content-Type: application/json" http://openam.example.com:8080/openam/json/authenticate This will return a tokenID, such as AQIC5wM2LY4SfcxUm6wdixPGaSrucHNIH7haV14vmdkrRsU.*AAJTSQACMDE.*
- Change your password, including the tokenID as the cookie value and the header "X-Requested-With: XMLHttpRequest": $ curl -b "iPlanetDirectoryPro=AQIC5wM2LY4SfcxUm6wdixPGaSrucHNIH7haV14vmdkrRsU.*AAJTSQACMDE.*" -H "X-Requested-With: XMLHttpRequest" -H "X-OpenIDM-Reauth-Password:OldPassword" -X POST -d '[{"replace":"password", "value":"NewPassw0rd"}]' "http://localhost:8080/openidm/managed/user/jdoe?_action=patch"
Note
Some command line parameters, such as iPlanetDirectoryPro, are case-sensitive.
If you have managed users with the openidm-cert role, you must update the password policy to allow these users to re-authenticate. You can update the password policy by adding the following text to the password policies section in the policy.json file (located in the /path/to/openidm/conf directory):
"policyId" : "re-auth-required", "params" : { "exceptRoles" : [ "openidm-admin", "openidm-reg", "openidm-cert" ]This text is already included in the default configuration for OpenIDM 3.0.0 so does not need re-adding when you upgrade.
See Also
How do I invoke the OpenIDM 4.x REST API when OpenIDM is protected by OpenAM?
How does a user change their own password in OpenIDM 3.x using the REST API?
How does a user change their own password in IDM (All versions) using the REST API?
OpenAM Developer's Guide › Developing Client Applications › Authentication & Logout
Related Training
N/A
Related Issue Tracker IDs
OPENIDM-1583 (OpenIDM should not enforce the REAUTH_REQUIRED policy for openidm-cert role.)