The way that password reset is configured with Universal login, the reset URL is only available to the email that has been generated. Edit: The reset URL is available from this management API endpoint /api/v2/tickets/password-change as well.
To clarify the flow the user should experience:
- User provides credentials and successfully logs in.
- Force password reset rule runs.
- Email is sent to user prompting reset.
- User is redirected to a page instructing them to reset password via email before they are able to continue to the application
Essentially all you have to do is create a redirect page to inform the user that they must reset through email before continuing. Sorry if that was unclear.
In terms of security, limiting exposure of any user information is most likely better. The current flow would just generally instruct a user to go to their email, not specifically identifying email or username. This is something that could be discussed further, but I would recommend not passing that information unless it is required for your application.
Let me know if this makes sense.