My Oracle Support Banner

OAM / Change Password page does not validate Old Password (Doc ID 1635474.1)

Last updated on MARCH 06, 2019

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Oracle Access Manager (OAM) or has been configured to use the OAM Password Plugin for password management.

When a user is redirected to the OAM Change Password page to change their password e.g. for first time logins or users with passwords reset, any value can be entered for Old Password. The Old Password value submitted is not validated.

Steps to reproduce

1. In a new browser session, access a resource protected by the OAM Release 2 (R2) Password Plugin.
2. The OAM SSO login page is displayed.
3. User submits valid credentials.
4. OAM validates the credentials but the user entry has obpasswordchangeflag=true or obpasswordcreationdate > password lifetime so OAM redirects the user to the OAM Change Password page.
5. User submits any value for Old Password, and a New Password value that conforms to password policy requirements.
6. The user's password is successfully changed.





To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.