This article describes how to adapt an authentication flow such that the end-user is given the option to change the password within the flow.
Changing the password during the login process can be a useful alternative to using the corresponding protected self-service flow. When the password change is already part of the authentication process it does not require the end-user to find and navigate to the self-service after login.
The following configuration instructions show how to use dynamic step activation to give the end-user (or REST client) the option to activate the Voluntary Password Change step.
The details depend on whether mandatory password change is also part of the authentication flow or not. In the following, both scenarios are described.
The voluntary password change self-service may be used after the existing password has been stolen or revealed to non-legitimate persons.
It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.