fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Return to login from expired reset password link

Open beezerk23 opened this issue 2 years ago • 4 comments

Return to login from expired reset password link

Description

If you click on an expired password link from an email you land on the "Forgot password" page to get yourself a new email. On this page you cannot use the return to login link now. It always gives you the following error:

{
  "error" : "invalid_request",
  "error_description" : "The request is missing a required parameter: redirect_uri",
  "error_reason" : "missing_redirect_uri"
}

Seems like the application does not know anymore where the user did come from.

Affects versions

1.46.0

Steps to reproduce

Steps to reproduce the behavior:

  1. Get yourself an expired password reset link
  2. Click on it
  3. Click on the "return to login" link

Expected behavior

It should either return you to the initial location the user came from. So the user visits example.com -> gets redirect to the login page -> starts the password reset process -> uses an expired link -> click on return to login -> come back to example.com.

If this is not possible for some reason, the link should not be there.

beezerk23 avatar Sep 22 '23 11:09 beezerk23

I have the same issue, any updates on this?

I think there are 2 quick solutions:

  • Extend the expiration timeout of the forgot password link
  • Add the redirect uri (the first one for example) adding in the email template link something like this: [...]&redirect_uri=${application.oauthConfiguration.authorizedRedirectURLs[0]}

But we could have more than one redirect URI, so idk if this solution works well for everyone.

Any idea?

MiticoBerna avatar Apr 08 '24 08:04 MiticoBerna

@beezerk23 Can you confirm if this is related to the hosted pages and are you navigating the user to oauth2/authorize to have them launch a forgot password workflow? Or are you using the Forgot Password API to send a user a password reset link?

If the former... Can you confirm that you have the following code to the forgot password email template?

  [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]

jobannon avatar Apr 08 '24 23:04 jobannon

@jobannon The user sees the login mask on oauth2/authorize then clicks the "Forgot Password" link. This redirects to the password/forgot?tenantId=?&clientId=? page. It takes the "normal" fusionauth flow i would say. Nothing special.

You mean in the forgot password email? The link in the email looks like this: /password/change/${changePasswordId}?tenantId=${user.tenantId}

beezerk23 avatar Apr 09 '24 06:04 beezerk23

Hello @jobannon, in my "Forgot password" template I had the same link as @beezerk23.

I already saw your suggestion here: https://fusionauth.io/docs/customize/email-and-messages/templates-replacement-variables#forgot-password

but at first glance I didn't understand what "list state" block meant, and after adding this piece to the template it worked like a charm!

[#assign url = "http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]

<a href="${url}">${url}</a>

I also added this to the top of the file: [#setting url_escaping_charset="UTF-8"]

otherwise I didn't receive any emails.

Thanks for your help!

MiticoBerna avatar Apr 09 '24 14:04 MiticoBerna