SCIM-Client updateUser is causing a password reset

By: Gareth Smith user 31 Mar 2018 at 10:20 a.m. CDT

4 Responses
Gareth Smith gravatar
Hi, We are using the java SCIM-Client 3.1.2 Final to do SCIM protected by UMA. We have exposed the "departmentNumber" attribute to SCIM (it shows in the extension schema). We have a simple scenario where we are retrieving the user: ``` User user = client.retrieveUser(uid, new String[]{}).getEntity(); String deptStr = "newDept"; Extension userExtension; Extension.Builder extensionBuilder; extensionBuilder = new Extension.Builder(Constants.USER_EXT_SCHEMA_ID); extensionBuilder.setField("departmentNumber", deptStr); userExtension = extensionBuilder.build(); user.addExtension(userExtension); client.updateUser(user, uid, new String[]{}); ``` The uid is the inum of the user. The user is succesfully retrieved, and the data is successfully updated - but the password _ also seems to have been changed/reset_. The password that could previously be used to log in with the user no longer applies. If we use the UI to reset the password login works as normal. Has anyone else experienced this issue, or know of a work around? Thanks for your help in advance.
Ubuntu 16.04
closed

Answers

By Gareth Smith user 31 Mar 2018 at 11:35 a.m. CDT

Copy
Gareth Smith gravatar
It is enough to specify: ``` user.setPassword(null); ``` This retains the current value.

By Michael Schwartz Account Admin 31 Mar 2018 at 12:02 p.m. CDT

Copy
Michael Schwartz gravatar
Jose, this seems unusual. Thoughts?

By Jose Gonzalez staff 01 Apr 2018 at 2:54 p.m. CDT

Copy
Jose Gonzalez gravatar
Hello, The problem stems from this version not modeling the returnability of the password attribute accurately, which per spec is "never", meaning the value should not be returned under any circumstance. However, server implementation is returning a dummy value when querying: https://github.com/GluuFederation/oxTrust/blob/version_3.1.2/server/src/main/java/org/gluu/oxtrust/util/CopyUtils2.java#L818 This degenerates in setting the password with such value when a query is immediately followed by an update. For this particular case, I think there is no need for the retrieval, just do `User user = new User();`, then attach the extension and call the update... version 3.1.3 (see https://www.gluu.org/roadmap/) models attribute characteristics correctly though

By Gareth Smith user 01 Apr 2018 at 3:07 p.m. CDT

Copy
Gareth Smith gravatar
Hi, Following your suggestion I tried the following: ``` User user = new User(); String scimRoleStr = "newDept"; Extension userExtension; Extension.Builder extensionBuilder; extensionBuilder = new Extension.Builder(Constants.USER_EXT_SCHEMA_ID); extensionBuilder.setField("departmentNumber", scimRoleStr); userExtension = extensionBuilder.build(); user.addExtension(userExtension); client.updateUser(user, uid, new String[]{}); ``` This didn't reset the password, however it set the "User Status" field to inactive. Passing user.setActive(true) was required to mitigate that. In all this is the preferable option though since (here at least) I can do without the read. Thanks for the swift reply and note about 3.1.3 - I think we'll be looking to pick that up for the oxTrust#877 fix too. Keep up the good work :)

Post an answer