Problem with redirect from Action/Rule to password reset ticket link

Problem Statement

When we redirect a user to a generated password reset ticket via an Action (api.redirect.sendUserTo) or a Rule (context.redirect), the password reset link doesn’t work. The problem only happens using the New Universal Login.

Cause

Essentially, this is a difference in behavior between the Classic and New Universal Login. Redirect Rules/Actions forcefully append a state parameter to any URL used as the target. There is no mechanism to prevent this from happening in our code. This is used to allow the authentication to resume after the redirect is completed.

However, in New Universal Login, the endpoints use an internal state parameter for their own handling.

Passing state to reset password while using New Universal Login isn’t supported at the moment if the state parameter isn’t generated by the New Experience initially. Therefore, the state that gets passed in the rule isn’t the same as the state being used by the New Experience, which causes what is essentially a state mismatch issue. The Classic Universal Login doesn’t have the same problem and appears to ignore the state parameter.

Solution

The two solutions available:

  1. Switch entirely to the Classic Experience
    Classic Universal Login Experience
  2. Enable the Password Reset page customization, which will enable the Classic Experience just for the Password Reset flow.
    Customize Password Reset Page