The sample journey for Change Password in Identity Cloud uses a GetSessionData node at the start. I believe this node is being used just to ensure that the user has an existing session. (It retrieves the UserToken session property (user principal) and stores it in a “mail” shared state attribute, which seems wrong). The documentation for GetSessionData suggests that it will fail with an error if the user doesn’t have an existing session, but in my testing this doesn’t seem to be true. Instead, the journey continues with a blank username which then causes re-authentication to always fail without explanation.
The GetSessionData docs themselves recommend using a scripted decision node to check if a current session exists or not. Would it be better to do that in the ChangePassword journey?