fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Forgot Password Email not going through confirmation page

Open astutesmartlocks opened this issue 6 months ago • 5 comments

Forgot Password Email not going through confirmation page

Description

Confirmation page not presented for Forgot Password emails like they are for email verification and others. Cannot find any other info for this use case.

Observed versions

1.49+ (currently running v1.53.2 and v1.56)

Affects versions

Steps to reproduce

Appears to be mainly on MS Outlook safe links checker

Expected behavior

Confirmation page should be served similar to the password reset email

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Closed issue #2443 appears to have missed this use case.

astutesmartlocks avatar Jun 18 '25 01:06 astutesmartlocks

Thank you for submitting this issue. We've added it to our backlog for evaluation and prioritization. While I can't provide a specific timeline, we will keep you updated as to when this moves into development.

brianweber-fusionauth avatar Jun 30 '25 14:06 brianweber-fusionauth

Thanks for taking the time to open the issue @astutesmartlocks - appreciate it!

There are a bunch of ways to get into this workflow, and in order to replicate the issue and understand if this is working as designed, or a potential bug, it will be very helpful to have additional information.

Can you please provide a step by step set of instructions on how you start the workflow, where you click, and what page you end up etc?

The more detail the better, are you on the same browser, what email client are you using, is the workflow initiated from an API, the admin UI, a themed template, are you in an OAuth2 workflow, etc.

Thanks!

robotdan avatar Jul 09 '25 22:07 robotdan

Step by Step reproduction

  • User clicks on “Forgot your password?” from the hosted login pages.
  • These are advanced pages written to change the styles. The functionality remains the same.
  • This takes the user to the forgot password page where they enter their email and click submit.
  • We can see the debug log in “Event Logs” in Fusion Auth Admin UI that the email was sent to the SMTP server (Sendgrid) using the correct smtp settings that we’ve setup for that tenant.
  • Can see successful delivery in our SMTP server (Sendgrid) as well.
  • The logic to generate the URL in the email template is as below (copied from the default fusion auth template)
[#assign url = "[ourdomain.example.com/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}](https://ourdomain.example.com/password/change/$%7BchangePasswordId%7D?client_id=${(application.oauthConfiguration.clientId)!%27%27}&tenantId=${user.tenantId})" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
  • Example password reset link taken from one of the debug logs that seems to not work.

[ourdomain.example.com/password/change/JSd7oIl0KUVg-CLoP1HA2LEnO2aT06ip2PUWCgUQjTU?client_id=20c4e9d2-6399-45d7-bfd2-a9e48c629901&tenantId=7b05f90a-eee2-4496-bda4-9b1f467f9288&code_challenge=hYpsKUbq6_TmnViNJTJbFAjLiPBoX_dUTQye5XWfZIg&code_challenge_method=S256&metaData.device.name=iPhone/iPod](https://ourdomain.example.com/password/change/JSd7oIl0KUVg-CLoP1HA2LEnO2aT06ip2PUWCgUQjTU?client_id=20c4e9d2-6399-45d7-bfd2-a9e48c629901&tenantId=7b05f90a-eee2-4496-bda4-9b1f467f9288&code_challenge=hYpsKUbq6_TmnViNJTJbFAjLiPBoX_dUTQye5XWfZIg&code_challenge_method=S256&metaData.device.name=iPhone/iPod) Safari&metaData.device.type=BROWSER&nonce=0xgsaoVFs5Kz0xAAHdCOO0lr4eqCVm7dbK--aYlmZH0&redirect_uri=redirectURItoAppsOrWebDependingOnWhereTheUserHasComeFrom&response_type=code&scope=openid profile offline_access&state=iQZ8W9GUj7vsebbn_o_jlUe2e79cQJqwnnvI35yLd00&timezone=Pacific/Auckland

  • User receives the email and clicks on the link that was sent.
  • They are shown the error that “Your password reset code has expired or is invalid. Please retry your request.” This is also the advanced hosted page written to change the styles but not functionality. (Refer to Image)
Image

Additional Information

This is an issue with customers who might be using Safe Link checkers such as Microsoft Outlook or other enterprise systems.

astutesmartlocks avatar Jul 14 '25 21:07 astutesmartlocks

@robotdan Any thoughts on this?

astutesmartlocks avatar Aug 20 '25 02:08 astutesmartlocks

Hard to say. The link doesn't look right to me.

The link looks to be some type of markdown, and part of it looks ok, and then there is a trailing part of the URL that appears to have been broken.

This part of the link looks correctly represented in the markdown:

https://ourdomain.example.com/password/change/JSd7oIl0KUVg-CLoP1HA2LEnO2aT06ip2PUWCgUQjTU?client_id=20c4e9d2-6399-45d7-bfd2-a9e48c629901&tenantId=7b05f90a-eee2-4496-bda4-9b1f467f9288&code_challenge=hYpsKUbq6_TmnViNJTJbFAjLiPBoX_dUTQye5XWfZIg&code_challenge_method=S256&metaData.device.name=iPhone/iPod

But then this part looks to be dangling, or missing from the whole link

Safari&metaData.device.type=BROWSER&nonce=0xgsaoVFs5Kz0xAAHdCOO0lr4eqCVm7dbK--aYlmZH0&redirect_uri=redirectURItoAppsOrWebDependingOnWhereTheUserHasComeFrom&response_type=code&scope=openid profile offline_access&state=iQZ8W9GUj7vsebbn_o_jlUe2e79cQJqwnnvI35yLd00&timezone=Pacific/Auckland

The link looks to be broken where there is a space in the metaData.device.name attribute value.

The entire correct links should be:

https://ourdomain.example.com/password/change/JSd7oIl0KUVg-CLoP1HA2LEnO2aT06ip2PUWCgUQjTU?client_id=20c4e9d2-6399-45d7-bfd2-a9e48c629901&tenantId=7b05f90a-eee2-4496-bda4-9b1f467f9288&code_challenge=hYpsKUbq6_TmnViNJTJbFAjLiPBoX_dUTQye5XWfZIg&code_challenge_method=S256&metaData.device.name=iPhone/iPod Safari&metaData.device.type=BROWSER&nonce=0xgsaoVFs5Kz0xAAHdCOO0lr4eqCVm7dbK--aYlmZH0&redirect_uri=redirectURItoAppsOrWebDependingOnWhereTheUserHasComeFrom&response_type=code&scope=openid profile offline_access&state=iQZ8W9GUj7vsebbn_o_jlUe2e79cQJqwnnvI35yLd00&timezone=Pacific/Auckland

And this URL encoded would be:

client_id=20c4e9d2-6399-45d7-bfd2-a9e48c629901&tenantId=7b05f90a-eee2-4496-bda4-9b1f467f9288&code_challenge=hYpsKUbq6_TmnViNJTJbFAjLiPBoX_dUTQye5XWfZIg&code_challenge_method=S256&metaData.device.name=iPhone%2FiPod%20Safari&metaData.device.type=BROWSER&nonce=0xgsaoVFs5Kz0xAAHdCOO0lr4eqCVm7dbK--aYlmZH0&redirect_uri=redirectURItoAppsOrWebDependingOnWhereTheUserHasComeFrom&response_type=code&scope=openid%20profile%20offline_access&state=iQZ8W9GUj7vsebbn_o_jlUe2e79cQJqwnnvI35yLd00&timezone=Pacific%2FAuckland

robotdan avatar Oct 09 '25 21:10 robotdan