Ask Password flow doesn't work if Enable Account Lock On Creation is toggled off due to account state remaining PENDING_AP

[vfraga]

Describe the issue:
The user's account state remains PENDING_AP after it sets a new password either in the browser (clicking the link sent to the email address,) or via the Account Recovery API (api/identity/recovery/v0.9/set-password).

Might be related to the efforts in a previous issue [1].

How to reproduce:

1. Set an Identity Server instance with mail-sending capabilities.
2. Toggle Enable User Email Verification on, and Enable Account Lock On Creation off, under Identity Providers > Resident > Account Management Policies > User Onboarding
3. In the Account State claim configuration, toggle on Supported by Default to allow reading the claim value in the User Profile.
4. Send the POST SCIM2/Users request below:

curl -k -u admin:admin  -H "Content-Type:application/json" -d '{
  "schemas": [],
  "name": {
    "familyName": "Smith",
    "givenName": "Paul"
  },
  "userName": "Paul",
  "password": "test123",
  "emails": [
    {
      "primary": true,
      "value": "[email protected]"
    }
  ],
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "askPassword": "true"
  }
}' -X POST https://localhost:9443/scim2/Users

5. Observe the account state PENDING_AP in the User Profile.
6. Click the link received in the user's mail and set a new password.
7. Observe the account state remains PENDING_AP in the User Profile.

Expected behavior:
The account state should be changed to UNLOCKED appropriately.

Environment information:

• Product Version: IS 5.10.0

---

[1] #21322