I guess we should clarify and separate two distinct password-reset-related pages:
- The first step, where you ask the user for the email address.
- The second step, where you ask the user for the new password.
The first step involves asking the user for the email address and hitting the /dbconnections/change_password
(see docs). This starts the flow (Auth0 will send an email message to the address, with a link to continue the flow). If you use Lock, this step is handled by the Lock widget itself. If you built your own custom UI using Auth0.js, you’ll have to gather the input and make a request to that endpoint. But there’s no linking anywhere here, you hit that endpoint and Auth0 sends the email message.
If you use Lock, you can also use the forgotPasswordLink
option to send the user to a specific URL when the “Forgot password” link is clicked. This URL should basically do the same that Lock does: ask the user for the email address and hit the /dbconnections/change_password
to start the reset flow.
The second step is handled by an Auth0 hosted page that you can customize. This is done from the “Password Reset” tab in the “Universal Login” section:
I expected the custom password reset page to be available in the same fashion as the custom login (via a url https://{my-domain}.auth0.com/login)
Neither the login page or the password reset flow are meant to be used directly (you should never be linking directly to https://{my-domain}.auth0.com/login
).
Auth0 will show the login page when needed as a result of an application requesting an authentication/authorization token via OAuth2 (/authorize
) or one of the other supported protocols. The same for the password page: it will be displayed as a result of the user clicking on the link received in the email message, but you never link there directly.