How To
Archived

How does a user change their own password in OpenIDM 2.x using the REST API?

Last updated Jan 5, 2021

The purpose of this article is to provide information on how a user can change their own password in OpenIDM 2.x using the REST API. The method varies slightly if OpenIDM is protected by OpenAM as the user must first authenticate before they can change their password.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Changing a user's own password

The following command can be used by a user to change their own password:

$ curl -H "X-OpenIDM-Username: jdoe" -H "X-OpenIDM-Password: OldPassword" -H "X-OpenIDM-Reauth-Password:OldPassword" -X POST -d '[{"replace":"password", "value":"NewPassw0rd"}]' "http://localhost:8080/openidm/managed/user/jdoe?_action=patch"

Changing a user's own password when OpenIDM is protected by OpenAM

When a user changes their own password where OpenIDM is protected by OpenAM, they must explicitly pass their authenticated credentials as follows:​

  1. Use curl to authenticate to OpenAM as described in OpenAM Developer's Guide › Developing Client Applications › Authentication & Logout. For example: $ curl -X POST -H "X-OpenAM-Username: jdoe" -H "X-OpenAM-Password: OldPassword" -H "Content-Type: application/json" http://openam.example.com:8080/openam/json/authenticate This will return a tokenID, such as AQIC5wM2LY4SfcxUm6wdixPGaSrucHNIH7haV14vmdkrRsU.*AAJTSQACMDE.*
  2. Change your password, including the tokenID as the cookie value and the header "X-Requested-With: XMLHttpRequest": $ curl -b "iPlanetDirectoryPro=AQIC5wM2LY4SfcxUm6wdixPGaSrucHNIH7haV14vmdkrRsU.*AAJTSQACMDE.*" -H "X-Requested-With: XMLHttpRequest" -H "X-OpenIDM-Reauth-Password:OldPassword" -X POST -d '[{"replace":"password", "value":"NewPassw0rd"}]' "http://localhost:8080/openidm/managed/user/jdoe?_action=patch"
Note

Some command line parameters, such as iPlanetDirectoryPro, are case-sensitive.

If you have managed users with the openidm-cert role, you must update the password policy to allow these users to re-authenticate. You can update the password policy by adding the following text to the password policies section in the policy.json file (located in the /path/to/openidm/conf directory):

"policyId" : "re-auth-required", "params" : { "exceptRoles" : [ "openidm-admin", "openidm-reg", "openidm-cert" ]

This text is already included in the default configuration for OpenIDM 3.0.0 so does not need re-adding when you upgrade.

See Also

How do I invoke the OpenIDM 4.x REST API when OpenIDM is protected by OpenAM?

How does a user change their own password in OpenIDM 3.x using the REST API?

How does a user change their own password in IDM (All versions) using the REST API?

OpenAM Developer's Guide › Developing Client Applications › Authentication & Logout

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-1583 (OpenIDM should not enforce the REAUTH_REQUIRED policy for openidm-cert role.)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.