I have enabled the ‘Check last password reset’ rule. I have observed from my callback url. The response parameters that I get is the following:
error=unauthorized&error_description=please%20change%20your%20password&state
I was wondering if there’s a way to know/fetch the username from the response? What’s the best pratice for this kind of scenario.
Should edit the rule to have a different redirect url for this error and pass the username as a parameter? Or a jwt token as a parameter?
It depends on what you are trying to accomplish. You could redirect the user to a password reset page with the rule, you could send a reset link to their email, etc. You could send the username in the error response using the user object (user.email for instance) for another info page, but I think the redirect to a reset page/email reset would be more common. Mostly dependent on your intended UX and whether or not you want the user to have to access their email address to reset.
With our current authentication flow. It redirects the user to a reset password page. But before redirecting there’s some process in between. Given that the usersname is available from the submitted login form. It uses and encrypts it inside a token.
Then the token will be part of the url on the reset password page.
Login page → {encrypt username, create a token, pass the token} → Password reset page
Since we have the login page now in Auth0. I was just wondering how can I get the username/email on the callback to a URL or API we exposed in our app?
You mentioned, “You could send the username in the error response using the user object (user.email for instance) for another info page”. Is there a code example for this that you can share?
Assuming the username/email can be passed to the callback. My other question. Is it a secure way doing it like that?
If we use the Universal Login - Password Reset page.
Using the rule. How do I do redirect the user to that password reset page? I’m just looking for some references or examples.
From the example on Redirect Users from Within Rules. On the Force password change example section. Is the redirect url there the Universal Login - Password Reset page that’s in Auth0?
The way that password reset is configured with Universal login, the reset URL is only available to the email that has been generated. Edit: The reset URL is available from this management API endpoint /api/v2/tickets/password-change as well.
To clarify the flow the user should experience:
User provides credentials and successfully logs in.
Force password reset rule runs.
Email is sent to user prompting reset.
User is redirected to a page instructing them to reset password via email before they are able to continue to the application
Essentially all you have to do is create a redirect page to inform the user that they must reset through email before continuing. Sorry if that was unclear.
In terms of security, limiting exposure of any user information is most likely better. The current flow would just generally instruct a user to go to their email, not specifically identifying email or username. This is something that could be discussed further, but I would recommend not passing that information unless it is required for your application.
Based from what I read and found. The reset link in the email is generated from the create a password change ticket REST API /api/v2/tickets/password-change.
I was able to do it without sending the email. When the check last password reset rule runs and the validation executes. It will redirect to the ticket URL returned by the API. Which is the Password Reset page that we enabled.
!