okta-auth-js icon indicating copy to clipboard operation
okta-auth-js copied to clipboard

Published 20 hours ago verified publisher icon okta

Exact flow for forgot Password

Open anmoljain10 opened this issue 2 years ago • 2 comments

Describe the bug?

In the Authn API docs, the forgot password method is using SMS factor type. After we generate the OTP via SMS and validate it, what should be the flow after that? Can we explain or add it in the docs?

What is expected to happen?

Docs update needed

What is the actual behavior?

NA

Reproduction Steps?

https://github.com/okta/okta-auth-js/blob/HEAD/docs/authn.md#forgotpasswordoptions

SDK Versions

v5.4.0 (using okta-react-native library: https://github.com/okta/okta-react-native).

Execution Environment

Platform: Android & iOS Framework: react-native

Additional Information?

No response

anmoljain10 avatar Sep 12 '22 10:09 anmoljain10

Thanks for putting this into out attention! Agree, example usage of forgotPassword is not complete

After verification of SMS factor the recovery transaction will be in RECOVERY status: https://developer.okta.com/docs/reference/api/authn/#verify-sms-recovery-factor

Then you should answer recovery question with answer and your transaction will be in PASSWORD_RESET status: https://github.com/okta/okta-auth-js/blob/HEAD/docs/authn.md#answeroptions https://developer.okta.com/docs/reference/api/authn/#answer-recovery-question

Then you can set new password with resetPassword: https://github.com/okta/okta-auth-js/blob/HEAD/docs/authn.md#resetpasswordoptions https://developer.okta.com/docs/reference/api/authn/#response-parameters-for-reset-password

Result of this transaction will be status SUCCESS, and it should have sessionToken you can use.

Internal ref: OKTA-531830

denysoblohin-okta avatar Sep 12 '22 13:09 denysoblohin-okta

Hi, thanks for the quick reply. Actually, in our flow. We should be able to use the old password to login if password hasn't been reset. If we're in PASSWORD_RESET mode, we cannot login using the old password right? Also, is it possible not to use any recovery question or MFA to reset password?

anmoljain10 avatar Sep 12 '22 14:09 anmoljain10

We should be able to use the old password to login if password hasn't been reset. If we're in PASSWORD_RESET mode, we cannot login using the old password right?

You can use old password to login until transaction is completed. Even if you're in PASSWORD_RESET state

Also, is it possible not to use any recovery question or MFA to reset password?

With Authn API you should use factorType = 'EMAIL' / 'SMS' / 'CALL' . Recovery with Okta Verify is supported in OIE. There is a possibility to use Forgot password with trusted application.

denysoblohin-okta avatar Oct 25 '22 14:10 denysoblohin-okta