Hi, I've a question regarding <mustChangePassword> flag for users.
How is the behavior for this flag intended?
I'd expect, that if this flag is set, I can obtain a temporary access token but
I can't perform any actions other than "/users/self/mustChangePassword".
So I must change the password before I can even get my own user information.
The observed behavior is quite different using the REST API:
(We're using 2.0.8 but I verified the same behavior in the demo environment
which is 2.1.2-snapshot)
Given the admin has set the "mustChangePassword" flag to "true" for user
"rossini"
When the user "rossini" acquire an accesstoken, then the access token is
returned. (I haven't tested the behavior with basic Auth.)
When the user "rossini" queries GET /users/self, then the user object is
returned and the header "x-syncope-entitlements: {"MUST_CHANGE_PASSWORD":[]}"
is set.
When the user "rossini" uses PATCH /users/self and sets the
"mustChangePassword" flag to "false", then the user object is updated (status
200).
Especially the last step is somewhat strange in my opinion and the question
arouse how is the use of this flag intended.
Regards, Lukas
smime.p7s
Description: S/MIME cryptographic signature
