The Loginapp REST password reset API allows end-users to reset their own passwords. The service is typically accessed by the end-user via a Forgot password? link on the login page. It is configured as a public self-service flow.
The API is publicly accessible. Special consideration regarding user enumeration and security, in general, is therefore essential.
Arbitrary steps may be configured in the public self-service flow. Therefore the password reset flow may be very individual and differ from the example given below.
Airlock IAM 7.1 introduced the flow-based password reset feature exposing a REST API. The feature has been moved to the public self-service flows with IAM 7.5. With this move, the following things changed in IAM.
Title | Description |
|---|---|
Configuration | The password reset flow is now configured as a public self-service flow.  The configuration is automatically migrated. No manual action is required. |
REST API | The password reset REST API is now accessible using public self-service URLs (see example REST flows) instead of the password reset URLs. If a password reset flow was configured before the migration to IAM 7.5, the old REST API resources (URLs) still work for this flow so REST clients do not have to be adapted. If using the old URLs, do not change the flow ID of the migrated public self-service flow. It is essential to identify the correct flow if a REST client calls the old REST API without the flow selection call. |
Web browser URLs | If using the Loginapp REST UI, the URLs of the password reset feature changes. Bookmarks and external links may have to be adapted. As an alternative, use the Path Rewrite feature in Airlock Gateway (WAF)'s virtual host configuration to rewrite old URLs. |
Loginapp REST UI customization | Translation keys and page IDs have changed. See Manual changes for Loginapp REST UI SDK upgrade from UI SDK 2.0 to 2.1 with IAM 7.5 for details. |