MaximilianoC.87114 (Customer) asked a question.
How to implement a custom forgotten password flow using only the REST API?
Hi there!, in my company we are currently developing a SPA that relies on the Okta REST API to manage the creation and login of users. As for the login, for example, we have already in place an authentication flow that takes the user input in our custom login page in our own domain, sends the credentials to our REST API backend and it performs the authentication via a REST call to the Okta API, if successful, a session is created in our backend and the affirmative response is then sent back to the UI. Now we need to implement the forgotten password recovery flow. I've been looking at using the Okta forgotten password flow to leverage the token/emailing system it already has. This is the flow I have in mind but I'm not sure if can be done, please advice: - the User goes to our custom "forgotten password page" that is NOT using the Okta widget (https://mysite.com/forgot_password)- the User enters the account email and press "Send recovery email"- the recovery request is sent to our Backend that dispatches a request to the Okta REST API- Okta receives the password recovery request and sents out an email (using a custom email noreply@example.com) with a custom message and a link to https://mysite.com/forgot_password?token=ABC123- the user receives the email and clicks on the link that redirects the user to our web app, enters the security question answer, sets a new password and clicks on "Change password"- the new credentials + the security question answer + the token is sent to our Backend, that sends the change password confirmation to the Okta API to finalize the process. Can something like this be perfomed by only using the REST API and the emailing system from Okta? Thanks in advance.
Dear Maximiliano,
How did you end up implementing this?
I want to do same thing but the documentation above is confusing. Ideal way would have been ready recipies which a user can read through and follow based on most commonly used use cases.
I read through the documenttaion...can we follow the below process
call lifecycle/reset_password API with sendemail=false
Strip the OTT from the above call and send to user in email as link to custom page
on custom page user enters the new password
get the stateToken against the OTT
use Credentials/reset_password to set the new password.
Hi,
We are also implementing custom activation and forgot password flow. For the forgot password flow, which API should I call to check the one time code is valid or expired?
Let me explain in details:
For the activation flow, we are calling the "/lifecycle/activate?sendEmail=false" API and it will generate activationToken and activationLink. Then we call "/api/v1/authn" to validate activationToken. Similarly, we need to support the forgot password flow. I call the "/credentials/forgot_password?sendEmail=false" and it will generate resetPasswordUrl. If I extract the one time code from that URL, which API I can call to validate that the token? Since it is a custom UI, we can't directly click the link for the resetPasswordUrl. If the link get expires after 24hr, we need to convey this message to the user but I am not sure how to accomplish that.
Also, how to setup the config in Okta so that the forgotPasswordLink expires in 24hr or so? (I could setup for the activationLink but not for the forgotPasswordLink )
https://developer.okta.com/docs/reference/api/users/#reset-password
Tricky part here
Docs:
This operation will transition the user to the status of RECOVERY and the user will not be able to login or initiate a forgot password flow until they complete the reset flow.
So in other words - I can request forget password for another person, and this person will be blocked!
@nmz8a (nmz8a) I think you could get around this by re-generating a recovery token for the user. In other words, if the user does not set their password. When they go to request a new set password link, their recovery token should be re-generated.
We also use https://developer.okta.com/docs/reference/api/users/#update-user to update the credentials of the user, since we don't know what the previous pwd is, but we can validate the token with https://developer.okta.com/docs/api/resources/authn#verify-recovery-factor