I am looking for a method in the Okta SDK for .NET that allows for changing a password without the need for an API token. Is there such a method? So far the only method I found is the UsersClient. ChangePassword Method which requires a User object as a parameter. But a User can only be retrieved using the API token, afaik.
We don't want to support changing a password without an token because that would mean anyone could change your password! The state token is short lived (http://developer.okta.com/docs/api/resources/authn.html#state-token) and is tied to the transaction from the client, so it provides assurance that the client is allowed to change their password when it is expired.
Thank you Wils. The first method is what I was thinking of, using the stateToken instead of an API token, which is safer way to go because it is short-lived as you mentioned. I think the way to go in .NET would be to use the AuthClient.Execute Method (http://developer.okta.com/docs/sdk/core/csharp_api_sdk/html/2fa49a0f-1caa-3ae2-4a71-07fed35a1f03.htm) but I wish it was better documented: there's no guidance on how to build the parameters that need to be passed in the method.
Thx Wils. Question about the state token (http://developer.okta.com/docs/api/resources/authn.html#state-token). The API doc reads: The lifetime of the state token uses a sliding scale expiration algorithm that extends with every request. Always introspect the expiresAt property for the transaction when making decisions based on lifetime.
How long after I call the aforementioned AuthClient.Execute method to make the password change, will the token expire? Should I specifically expire it to be safe?
I believe it is a one time use code, so after you make the request, you shouldn't need to expire it manually. I think what that documenation is trying to get across is that you should check the expiresAt property before calling Execute to ensure the state token is not expired yet.