We are using the /json/authenticate endpoint to reset forgotten passwords, same as the example in the “Identity Cloud Postman collection”. This has been in place for a awhile and has been working but we have run across an issue with a specific user where this method continually fails for him.
When we submit the request with the previoiusly retrieved authId and the new password in the payload we are getting this response:
{“tokenId”:null,“successUrl”:null,“realm”:null}
{“code”:401,“reason”:“Unauthorized”,“message”:“Failed policy validation”,“detail”:{“failureUrl”:“https://www.xxx.pvt/callback”}}
So my question is how can I find the cause of this error? Given the 401 code I am guessing something wrong with the authId ???
I have tried using the logging endpoints (/monitoring/logs) to see if that provides anything but doesn’t look like we have much logging conifigured
The “Failed policy validation” message in the response suggests that the new password you are giving does not satisfy the password requirements. The password you’re giving will be matched against a few policies that are assigned to that field in the IDM.
Are you giving a complex enough password? And are you giving a password that hasn’t been used previously?
I have not asked for their password yet, but wanted to see if there was any kind of log that might tell why it failed.
In our ForgeRock password policies we aren’t enforcing the “Cannot reuse” rule, our UI takes care of validating the password complexity (length, and required characters) and all of the “Cannot Include” rules are off.
I did not want to ask for the password unless I had to ask, but sounds like I need to start there.
Thanks.
Have you checked the IDM audit logs for a 403 (idm-access or even idm-everything), which should include the Validation Policy Failed requirements? The Forgotten Password journey makes use of Patch Object node, which submit the patch request directly to IDM.
For reference: Get audit and debug logs :: ForgeRock Identity Cloud Docs
1 Like
I have looked at all of the am-xxxx and idm-xxxx audit log sources, during the timespan of this transaction and I can’t locate any failures being logged