Requirements
Component | Requirement | Comments |
---|---|---|
Airlock IAM |
| None. |
Component | Requirement | Comments |
---|---|---|
Airlock IAM |
| None. |
This example shows how to configure and use the Loginapp REST API to implement a password reset flow using the flow continuation concept.
Note that the example may easily be combined with a 2nd factor as shown in Complex password reset flow example.
All following procedures are exemplary and will vary according to your setup or needs.
See Using the Flow Continuation Step in public self-service flows for more information on the flow continuation concept.
The flow is configured as a public self-service flow under:
Loginapp >> Public Self-Service Flows >> new flow with id password-reset-init
.
The flow steps configured for this example and a high-level view of the REST calls is shown in the diagram below.
Step | Purpose | Comment |
---|---|---|
A | Provide the name of the user for which the password reset flow should be executed. | This step is required to start the flow and to select the user. By default, this step will complete with 200 OK, even if the user cannot be found, the account is locked or invalid. This is done to provide protection against user enumeration attacks. To change this, adapt the configuration of the Default Password Reset Restrictions plugin or define your own password restriction settings using the plugin Custom Public Self-Service Restrictions. |
B | Sends an email with a link to the user. | Note that the configuration of this step contains the ID of the continuation flow described below. It embeds the flow ID in the link sent to the user so - that when the link is clicked - the correct continuation flow is selected. The step stores information about the user in the IAM database such that the continueing flow can access it (even on a new HTTP session). |
As the initiating flow, this flow is also configured as a public self-service flow under:
Loginapp >> Public Self-Service Flows >> new flow with id password-reset-continue
.
Step | Purpose | Comment |
---|---|---|
A | Validate the flow continuation token to identify the user for the flow. | When clicking on the link in the email (sent by the Send Email Link Step), a flow continuation token is sent in the HTTP header when selecting the flow (1). This step extracts the flow continuation token and looks it up in the IAM database. With the token, it identifies the user for the rest of the flow. If this step is successful, the email address of the user has been verified. |
B | Set the new password. | This step persists the new password if it passes the password policy. |
C | Clears all open OAuth sessions. | For security reasons, all open OAuth sessions (e.g. logged-in apps) are logged out. |
D | Logs out all remembered browsers/devices. | For security reasons, all logged-in browsers/devices (remember-me feature) are logged out. |