fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Users Getting Automatically Logged Post Successful Password Reset Flow

Open dlalwani-ep opened this issue 2 years ago • 4 comments

Users Getting Automatically Logged Post Successful Password Reset Flow

Description

I'm experiencing some issues in our password rest flow, once the user completes the password reset flow they are automatically logged into the application via PKCE as the state is replayed. We’ve removed the client_id from the url in the email and are still experiencing the same issue. We want users to end up on /password/complete

We followed the steps on this forum from @robotdan which we believe is either out of date or a bug is introduced preventing this from working as expected. https://fusionauth.io/community/forum/topic/366/prevent-redirect-after-forgot-password-flow

Affects versions

We're currently experiencing the problem on version 1.36.8

Steps to reproduce

Steps to reproduce the behaviour:

  1. Enable the password complete theme template
  2. Start the Forgot Password Flow
  3. Click the link received in your email (ensure this doesn't include the client_id)
  4. Confirm your new password
  5. Click Confirm At this point the user will be automatically logged into the application.

Expected behaviour

Once the user enters a new password and hits confirm, we expect them to land on /password/complete

Screenshots

ezgif-4-f4cb53d808

Platform

Device: PC OS: MAC Browser: Chrome Database: postgres

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

dlalwani-ep avatar Aug 15 '22 04:08 dlalwani-ep

I think this is working as designed. Can you provide an example URL that the user is clicking on from the email?

robotdan avatar Aug 16 '22 16:08 robotdan

@robotdan

An example of the user would look like the following: https://iam.test.educationperfect.io/password/change/ABuQ1qSMfWXNFhBEOZ1QvepU16mTTEXuC_JrvbxJCmY?code_challenge=kbjigSysh1qn51jTSh28i4I4di9iYNUY7Ldze5FM17Q&code_challenge_method=S256&metaData.device.name=macOS%20Chrome&metaData.device.type=BROWSER&redirect_uri=%2Fadmin%2Flogin&response_type=code&scope=offline_access&state=Rkv55G1tpbnQnfglbB368mmd5atHKnCPB3wWZcJDhgw&timezone=Pacific%2FAuckland

dlalwani-ep avatar Aug 17 '22 22:08 dlalwani-ep

This is all working as expected. Landing on the password complete page will only happen if we do not have any context from the original login request.

If you would prefer the user to land on the complete page, you will need to modify how you are building the URL. Ideally you'll want to leave the client_id so that the page can optionally be themed. But if you remove the redirect_uri the OAuth2 request will not be fully reconstructed and the user will land on the complete page.

robotdan avatar Aug 22 '22 03:08 robotdan

There's a problem with this - making this change also means you can't have a "Return to login" button on the "Forgot password sent" page (or in the forgot password email for that matter).

Could you please consider adding a configuration option to control this rather than relying on the theme? Using themes to control this sort of functionality is a really bad experience.

epbensimpson avatar Aug 28 '22 21:08 epbensimpson