How to reset password via Okta API Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzrpiac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jonny FordJonny Ford 

How to reset password via Okta API

I'm looking into creating a script to change a password on a Mac, Keychain and on OKTA at once. 

I've come up with the following but
a) the variables aren't being passed into the script
b) I'm not getting a stateToken from the first authn API call. Can I use the sessionToken? 

Any suggestions? 

#!/bin/bash

# Set variables
org=orgname
user=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
oldPassword=`osascript -e 'Tell application "System Events" to display dialog "Enter your current network password:" **with hidden answer** default answer ""' -e 'text returned of result' 2>/dev/null`
newPassword=`osascript -e 'Tell application "System Events" to display dialog "Enter your new network password:" **with hidden answer** default answer ""' -e 'text returned of result' 2>/dev/null`

# Find out current user state
curl -v -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '{  "username": "${user}",  "password" : "${oldPassword}",        "options": {    "multiOptionalFactorEnroll": false,    "warnBeforePasswordExpired": true  }}' "https://${org}.okta.com/api/v1/authn"

# Change Password
curl -v -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '{ "stateToken": "007ucIX7PATyn94hsHfOLVaXAmOBkKHWnOOLG43bsb",    "oldPassword": "${oldPassword}",  "newPassword": "${newPassword}" }' "https://${org}.okta.com/api/v1/authn/credentials/change_password"

# Change password on local account
dscl . -passwd /Users/$user $newPassword $oldPassword

# Check if Keychain is locked, is so try $oldPassword to unlock
security unlock-keychain -p $oldPassword ~/Library/Keychains/login.keychain

# Change Keychain Password to $newPassword
security set-keychain-password -o $oldPassword -p $newPassword ~/Library/Keychains/login.keychain
Best Answer chosen by Jonny Ford
Gabriel SrokaGabriel Sroka (Okta, Inc.)
I find using \" with JSON can get a little confusing:
echo "{\"username\": \"${user}\"}"

Another way to do it is using both single and double quotes:
echo '{"username": "'"${user}"'"}'

Here's an example using curl. This one uses both single and double quotes for the -d parameter--single quotes around the JSON double quotes, and double quotes for the shell variables:
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "username": "'"${user}"'",
  "password": "'"${oldPassword}"'",
  "options": {
    "multiOptionalFactorEnroll": false,
    "warnBeforePasswordExpired": true
  }
}' "https://${org}.okta.com/api/v1/authn"

All Answers

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Jonny,

In your curl commands, you're using single quotes with -d, but the shell turns off evaluation of variable expressions if you use single quotes. eg, this won't evaluate the variable:
echo '${org}'
but this will:
echo "${org}"
So you'll have to use double quotes and escape the inner double quotes using \
eg this works in Bash:
echo "org=\"${org}\""
Check your shell documentation for more info.
 
Gabriel SrokaGabriel Sroka (Okta, Inc.)
I find using \" with JSON can get a little confusing:
echo "{\"username\": \"${user}\"}"

Another way to do it is using both single and double quotes:
echo '{"username": "'"${user}"'"}'

Here's an example using curl. This one uses both single and double quotes for the -d parameter--single quotes around the JSON double quotes, and double quotes for the shell variables:
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "username": "'"${user}"'",
  "password": "'"${oldPassword}"'",
  "options": {
    "multiOptionalFactorEnroll": false,
    "warnBeforePasswordExpired": true
  }
}' "https://${org}.okta.com/api/v1/authn"
This was selected as the best answer
Gurtek SinghGurtek Singh
Hey Jonny,

Were you able to figure out how to get the state token to transfer?
hd hdhd hd
in my case I am just using the set password API {{url}}/api/v1/users/{{userId}}
request body:
{
  "credentials": {
    "password" : { "value": "{{password}}" }
  }
}
make sure the user has a recovery question or it wont let you do set the passowrd neither to authenticate.
use set recovery ceredential with :
{{url}}/api/v1/users/{{userId}}
body:
{
  "credentials": {
    "recovery_question": {
      "question": "Who's a major player in the cowboy scene?",
      "answer": "Messi"
    }
  }
}