Hello, I am new to the community, just I am trying to find some solution about reset password at my own application page.
I understand that Auth0 gives us API to reset password with sending email and reset at universal login page.
My story is that
- User forgets password
- Enter his/her email
- Send email
- User click the link
- User will come to my own application’s reset password page
- User reset password
I have already checked Auth0 management API to update password with /users/{id}
However, I have no idea to get access token whose user forgets password and not login yet, and worried about impostor
Please help me to realize my story which user can reset password at my own application’s reset password page
Thanks,
TShida
Hi @TShida951
If you redirect the user to your own page, you are taking responsibility for ensuring that they are the proper user. Unless there is a VERY good reason to do this, you should use Auth0’s built in flow for changing the password.
Your application can access the Management API with a client credentials token. This token is NOT tied to the user changing their password. Again, you are taking that responsibility on if you do this.
John
Hello, @john.gateley
Thank you for your quick reply.
If you redirect the user to your own page, you are taking responsibility for ensuring that they are the proper user.
I totally understand this, and this is one of answers which I expect.
I will discuss with my project team again.
Thank you,
TShida
Let us know if you have any other questions down the road!