Change Password Skip to main content
https://support.okta.com/help/answers?id=906f0000000qth6iak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Patrick CesardPatrick Cesard 

Change Password

Hello.

I am looking for a method in the Okta SDK for .NET that allows for changing a password without the need for an API token. Is there such a method? So far the only method I found is the UsersClient. ChangePassword Method  which requires a User object as a parameter. But a User can only be retrieved using the API token, afaik.

http://developer.okta.com/docs/sdk/core/csharp_api_sdk/html/abaa2d4e-e7bc-80f5-fc9a-4dc71001886a.htm
Patrick CesardPatrick Cesard
More details on my question:

I'm basically looking for the .NET SDK equivalent to the following link you see when you authenticate (Primary authentication) and the status comes back with "PASSWORD_EXPIRED" and a stateToken.

The API authn/credentials/change_password in the link below, allows you pass in the stateToken and so the API token is not needed:

"_links": {
    "next": {
      "name": "changePassword",
      "href": "https://jnester-prod.okta.com/api/v1/authn/credentials/change_password",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    },
Wils DawsonWils Dawson (Okta, Inc.)
Hi Patrick,

We don't want to support changing a password without an token because that would mean anyone could change your password! The state token is short lived (http://developer.okta.com/docs/api/resources/authn.html#state-token) and is tied to the transaction from the client, so it provides assurance that the client is allowed to change their password when it is expired.

Unfortunately, looks like we don't yet support this in our .NET SDK. Our SDKs are something we're always improving and bringing up to pairity with our API features that get released, so we will add it, but you can write it yourself and contribute to the SDK on GitHub (https://github.com/okta/oktasdk-csharp) to use it sooner! What you'll need to do is implement this transaction in the docs (http://developer.okta.com/docs/api/resources/authn.html#change-password).

An alternative work around might be to make a call to the set password endpoint (http://developer.okta.com/docs/api/resources/users.html#set-password) with an admin token. I'm not sure how that would work in the middle of the authentication transaction though, so you may want to test that out before going too deep there.

Hope that helps!
Wils
Patrick CesardPatrick Cesard
Thank you Wils. The first method is what I was thinking of, using the stateToken instead of an API token, which is safer way to go because it is short-lived as you mentioned. I think the way to go in .NET would be to use the AuthClient.Execute Method (http://developer.okta.com/docs/sdk/core/csharp_api_sdk/html/2fa49a0f-1caa-3ae2-4a71-07fed35a1f03.htm) but I wish it was better documented: there's no guidance on how to build the parameters that need to be passed in the method.
Wils DawsonWils Dawson (Okta, Inc.)
Yeah I think that makes sense Patrick. The documentation is definitely something we're working on!
Patrick CesardPatrick Cesard
Thx Wils.
Question about the state token (http://developer.okta.com/docs/api/resources/authn.html#state-token). The API doc reads:
The lifetime of the state token uses a sliding scale expiration algorithm that extends with every request. Always introspect the expiresAt property for the transaction when making decisions based on lifetime.

How long after I call the aforementioned AuthClient.Execute method to make the password change, will the token expire? Should I specifically expire it to be safe?
Wils DawsonWils Dawson (Okta, Inc.)
I believe it is a one time use code, so after you make the request, you shouldn't need to expire it manually. I think what that documenation is trying to get across is that you should check the expiresAt property before calling Execute to ensure the state token is not expired yet.

Make sense?
Patrick CesardPatrick Cesard
Yes, thx Wils.