We are currently using Janrain.
We are trying out Auth0 to replace Janrain.
We are facing one issue with password reset flow.
We have mobile applications which invoke our backend API. The backend API invokes Janrain/Auth0.
The current flow for password reset is:
- Mobile app opens an HTML page which is hosted in our server
- This HTML page asks the user to specify the email address.
- It then invokes Janrain’s forgot password API
- Janrain sends out an email with a password reset link. This link is hosted in our server only. Janrain appends an authorization token at the end of the URL
- When user clicks this link in email, we ask for new password and invoke Janrain API - first exchange the authorization token to access token, and then using access token update profile with new password
Here we have our own look and feel of the two HTML page and any message being shown.
Also in the page where we aks for new password, we validate the password strength.
Please note that multiple mobile apps can use this service and we can allow customization (look & feel, password strength etc) per app.
But in Auth0, I know that it has its own inbuilt mechanism of password reset.
Below are my questions:
- Can we some how get the authorization token at the server (we only have user’s email id) and then use our own flow to update the password (we can invoke update profile API)
- OR can we customize all screens and all messages/popups which comes in password reset
Auth0’s reset password flow is VERY customizable, you will be able to do all of this.
There are many different approaches, I’ll mention the tools you have available to implement this:
- You can customize Auth0’s out-of-the-box reset password flow. Our pages are quite customizable, on an app by app basis even. This is probably the best method.
- You can send your own email with your own auth token, and that takes you to your hosted page where you then use Auth0’s API to reset the password. Perhaps a little more effort than your current Janrain implementation, and personally I prefer the out-of-the-box approach.
We are currently using the API “/dbconnections/change_password” to reset the password.
I know that we can customize the email template.
But where & how we can customize:
- The page which opens when the link in email is clicked
- The success message popup
- The error message popup
We need the exact look and feel like this
I would start with the new universal login page customization: New Universal Login Experience
You can customize the template, and the text within the widget.
If that is not sufficient, you can host the entire process yourself, making a management API call to PATCH the user’s password.
Can we generate an Authorization token for the user whose password needs to be reset at the server side by invoking Management APIs?
This is how we are handling it in Janrain. The Authorization code will go as a query parameter in the link in the email. And when user gives new password, we exchange authorization code to access token and update the user’s profile.
Generating an auth token for a user sounds like impersonation to me, and we don’t do impersonation. It is incredibly difficult, if not impossible, to securely do impersonation.
Instead of an auth token, we have a password reset ticket. This is a URL that takes the user to the password reset page.