KevinB.90047 (Customer) asked a question.
I am trying to port my C* .NET code from SDK version 0.3.3 to SDK version 1.2.1.
Although I can validate login credentials for an existing user and I can send Forgot Password email for a user-initiated password reset, I am having trouble resetting the password. It fails with the error message:
"This operation is not allowed in the current authentication state. (403, E0000079)"
even after my code sets the user to state PasswordExpired.
Notes:
(1) The password policy is the same as the policy that worked for SDK version 0.3.3.
(2) This is not using an Okta app; the user never sees the Okta user interface.
(3) This does _not_ use ActiveDirectory either.
(4) This also does _not_ use MFA or even a password reset question/answer.
(5) It relies only on the token in the forgot password email to ensure that nobody can reset someone else's password. (You certainly could argue that this should be made more secure, but first I must get this simple use case working with SDK version 1.2.1.)
Here is an outline of what worked for SDK version 0.3.3:
var usersClient = new UsersClient(this.oktaApiToken, new Uri(this.oktaBaseUri));
AuthClient authClient = new AuthClient(new OktaSettings
{
BaseUri = new Uri(this.oktaBaseUri),
ApiToken = this.oktaApiToken
});
// This throws an exception if the password reset token is not valid.
// The value "sptoken" is from the password reset email.
Okta.Core.Models.AuthResponse authResponse = authClient.ValidateToken(sptoken);
// This throws an exception if the new password does not satisfy the complexity requirements.
usersClient.SetPassword(authResponse.Embedded.User.Id, newPassword);
Here is an outline of what I am attempting to do for SDK 1.2.1:
// Move the user account to state PasswordExpired to satisfy the SDK 1.x state transition scheme.
// (Code to get "user" object.)
Boolean? tempPassword = false;
ITempPassword x = await user.ExpirePasswordAsync(tempPassword);
var authClient = new AuthenticationClient(
new Okta.Sdk.Abstractions.Configuration.OktaClientConfiguration
{
OktaDomain = this.oktaBaseUri,
Token = this.oktaApiToken
});
var resetPasswordOptions = new ResetPasswordOptions()
{
NewPassword = newPassword,
// stateToken from validating token from forgot password email.
StateToken = stateToken,
};
// This still throws an exception even for state PasswordExpired.
// "This operation is not allowed in the current authentication state. (403, E0000079)"
IAuthenticationResponse authResponse = await authClient.ResetPasswordAsync(resetPasswordOptions);
Note that the error message does _not_ say that the StateToken is invalid. Instead, it is saying that the authentication state is wrong, even though the user is in state PasswordExpired. Suggestions? Thanks.
Update: I opened a Support Case to add the option to _not_ require a password recovery question / answer. Soon afterward I received email that the option had been added to my Okta organization. (That was fast!) Then UNchecking the new "Security question" checkbox in the admin user interface (as described above) completely solved my problem.
Now when a user receives and responds to Forgot Password email, the authentication status goes directly to PASSWORD_RESET and the C# code can set the new password directly, as it did for SDK version 0.3.3. Previously, the authentication status went to state RECOVERY, which required answering a password recovery question.