Last Updated: Sep 19, 2024
Overview
When redirecting a user to a generated password reset ticket via an Action (api.redirect.sendUserTo) or a Rule (context.redirect), the password reset link does not work. The problem only happens using the New Universal Login.
Applies To
- New Universal Login
- Password Reset Ticket Link
Cause
This is a difference in behavior between the Classic and New Universal Login. Redirect Rules/Actions forcefully append a state parameter to any URL used as the target. There is no mechanism to prevent this from happening in the Auth0 code. This allows authentication to be resumed after whatever is needed to occur once the redirect is done.
In New Universal Login, the endpoints use an internal state parameter for their own handling. Passing state to reset password while using New Universal Login is not supported at the moment if the New Experience itself does not generate the state. The state being passed due to the rule is not the same as the state being used by the New Experience and causes the issue.
Classic Universal Login does not have the same problem and appears to ignore the state parameter.
Solution
There are a few solutions available:
-
Append the password reset ticket to the /v2/logout endpoint as a returnTo param instead of redirecting to the password reset ticket directly. This works for both Classic and New UL. See this document for more details.
-
Switch entirely to the Classic Experience
-
Enable the Password Reset page customization, enabling the Classic Experience just for the Password Reset flow.