fusionauth-issues
fusionauth-issues copied to clipboard
FusionAuth
Support redirect after change password flow
Support redirect after change password flow
Problem
People want to redirect a user from forgot-password/change-password flow to a different URL post successfully completing the password change, rather than end up on the password complete template.
Solution
Document the solution and test it so that it is explicitly supported.
Alternatives/workarounds
There are a couple of options to handle this that are not straightforward:
- You can update the “Change password complete” template for your theme to redirect to the desired page using an HTML redirect tag.
- You can use the API to start the OAuth authorization code grant workflow before beginning the forgot password flow and pass the OAuth parameters along to forgot/change password API calls in the state parameter.
If you want to redirect users to the same page every time, the first option is best.
The second option is how FusionAuth handles the password change workflow from the hosted login pages. When the user clicks “Forgot password” on the FusionAuth themed login page, we have the OAuth parameters. These are captured and passed along to the forgot/change password calls. Once the user completes their password change, we use the captured state to complete the OAuth workflow is completed which logs the user in and then redirects them to redirect_uri.
This is undocumented and not guaranteed to work in the future.
If you go with the second option, be aware that FusionAuth’s use of the API is not an API contract, and the behavior is subject to change.
The minimal set of state parameters to redirect after completing the password change is redirect_uri, response_type, and client_id. If you are using PKCE, the state also needs to contain code_challenge and code_challenge_method
Additional context
Internal: https://inversoft.slack.com/archives/C051S8N8E/p1676559954353889
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
I think the bigger issue here -is - should we start building "OAuth APIs". If we went down and started building another API layer that our OAuth UI uses - it would be simpler to re-use a lot of this and build it in React, etc.
So this would be one example of it - to support this workflow officially, ideally we'd wrap our business logic of how we call our own APIs in another API that would be documented.
Great, I created an issue for that: https://github.com/FusionAuth/fusionauth-issues/issues/2111
