When a user initiates a password reset flow via email magic link (EML) from a self-hosted Okta Sign-In Widget, they may encounter one of the following undesirable behaviors on the Okta-hosted sign-in page:
- Rather than the email magic link immediately presenting them with the password reset page, the user may instead be presented with a one-time passcode (OTP).
- Alternatively, the user may be presented with the password reset screen, but after submitting the password, will see the error:
You have been logged out due to inactivity. Refresh or return to the sign in screen.
Additionally, the password reset will be unsuccessful.
- Okta Identity Engine (OIE)
- Self-Hosted Okta Sign-In Widget
- Self-Service Password Reset (SSPR)
The undesirable behavior occurs because the "Forgot Password" email magic link redirects the user to the default Okta-hosted password reset page. When a reset password flow is initiated on a self-hosted widget but completed on the Okta-hosted widget, the Okta-hosted widget cannot load the necessary context to verify that the user attempting to reset the password is the same as the user who initiated the reset.
Okta offers multiple options to solve this problem. This can be solved by either editing the email templates to take the user directly back to the self-hosted widget or adding an Email Verification Experience (EVE) callback to an application, which will redirect the user after they click on the email link:
For both of these options, it is necessary to initialize the Okta sign-in widget with the state and otp values returned in the URL to the app. In most cases, this is all that is required to have the widget automatically present the password reset page to the user.
Please see the related reference below for more details on the options and how to implement them.
