If a user creates their Okta account by signing in with a social login or external identity provider (IdP), the account is created by Just-In-Time (JIT) provisioning.
However, when the user attempts to perform a password reset, they receive the following error message:
PASSWORD_BASED_LOGIN_DISALLOWED
- Just-In-Time (JIT) Provisioning
- External Identity Provider (IDP)
- Users created by JIT through social login (Okta is not the IdP)
The cause of this issue is that Okta cannot interface with the password reset functionalities of other external IdPs or "sources of truth". The error message that the user sees (PASSWORD_BASED_LOGIN_DISALLOWED) is intentionally vague to prevent the disclosure of a user's account information to potentially malicious actors.
To resolve the issue of password reset for users created through social login or an external identity provider (IdP), the password reset must be performed on the social login side. For instance, if the user's account was created through a Google login, the user's Google account password will need to be reset.
It is important to note that the user will have to reset their password for the external IdP, such as Google, and not through Okta. This is because Okta acts as the service provider and does not have control over the source of truth's password reset functionalities.
