JesseJ.06409 (Customer) asked a question.
Our site allows users to change their own password, with the typical input of "current password" and "new password". For this we've been using the API "POST /api/v1/users/${userId}/credentials/change_password". Unfortunately we just realized that this does not take password history into consideration despite the currently-set password policy. The API has a "strict" parameter, but the it says "strict" will validate against password age, with no mention of password history.
Why won't this API consider password policy? "POST /api/v1/users/${userId}" says it checks against password history, but this doesn't account for oldPassword. Unless I'm missing something here, it looks like I don't have any options to do what I want to.
Hi Jesse,
For the strict parameter, it takes the minimum age policy, not the password history. The password policy it is not recognized as when the change it wold be made through API, the default it will be considered and applied to the change of the user password.
In regards to the oldPassword, it takes only the current password for user and it does not take the other passwords.
Docs: https://developer.okta.com/docs/reference/api/users/#change-password
https://developer.okta.com/docs/reference/api/users/#password-object
In case that you have more questions related to this matter, you are more than welcomed to open a support ticket with us.
Thank you,
Vlad Tanasa
All you did was re-state what I already know. I wanted to know why this is, and if there's anything I can do about it.
@JesseJ.06409 (Customer) I've ran into the same issue with our web app - I've gotten no clear answers yet. Did you ever figure this out?
Hi,
I've the same problem with my dev, the OKTA API (/api/v1/users/${userId}/credentials/change_password [POST] and /api/v1/users/ [PUT] ) dot not take account the password history with or without strict = true. So ma question is : only the widget this password policy will be taken account ?
Thanks for your retour.
Br.