<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Using the fromURI Parameter for Password Recovery Flows After an Okta Identity Engine Upgrade
Oct 31, 2025
Okta Classic Engine
Okta Identity Engine
Administration
Overview

The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article provides information regarding the use of the fromURI parameter for password recovery flows after an organization upgrades to the Okta Identity Engine (OIE). In Okta Classic Engine, administrators may have appended the fromURI parameter to the password recovery URL generated through an API call or an administrator-initiated reset to redirect users. If the fromURI is missing, the user will be directed to the default application configured in the tenant. If the fromURI is not formatted correctly in OIE, the user receives the following error:

Your reset password token is no longer valid.

Applies To
  • Okta Identity Engine
  • FROM_URI_USAGE_FOR_SSPR
  • Password Recovery
Cause

Support for the fromURI parameter in password recovery flows is limited after upgrading to Okta Identity Engine. The expected format for the recovery URL parameter has changed, and certain recovery methods no longer support this functionality.

Solution

The following sections describe the supported and unsupported methods for using the fromURI parameter in OIE.

Supported Method

The only supported method is a self-service password recovery initiated from the Sign-In Widget.

NOTE: The format of the recovery URL changes after the upgrade to OIE.

  • Okta Classic Engine: ${resetPasswordLink}?fromURI=https://<yourDomain.com>/<pathHere>

  • Okta Identity Engine: ${resetPasswordLink}&fromURI=https://<yourDomain.com>/<pathHere>

To implement this change, modify the applicable email templates (Forgot Password, LDAP Forgot PasswordActive Directory Password Reset) after the upgrade. For more information, refer to the guide on how to use customizable email templates.

Unsupported Methods

The following recovery flows are not supported and will redirect the user to the default application configured in the tenant:

  • API-initiated recovery flow: /api/v1/users/<userId>/credentials/forgot_password

  • Administrator-initiated recovery flow: Recovery initiated from the Okta admin interface.

Recommended Approaches

  • For a Single/Global Redirection: Adopt the built-in OIE experience within the Okta-hosted solution and specify a default application. This returns the user to the default application upon completion. The application can then provide further redirection as needed.

  • For Multiple Destinations: Use the Okta SDKs with application context. This returns the user directly to the originating application upon completion. For dynamic redirection, a state can be set during initialization to guide the user back to a specific path within the application.

Related References

Recommended content

Still looking for help?
Loading
Using the fromURI Parameter for Password Recovery Flows After an Okta Identity Engine Upgrade