How to Authentication Recovery Token using new Okta node sdk package

Questions OAuth/OIDC
1

Hello!

I found out that okta node sdk doesn’t support “Recovery Token” authentication during password reset/unlock account link.

But i am not sure, if that is not supported, how does “Forgot password” functionality works, because that has to go through token verification associated with each user who has requested the password reset.

So password reset link is something like

http://localhost:XXXX/#/user/reset?token=${recoveryToken}"

I do see recovery token in email
I click on it.
Try to reset the password
Send request to the backend service, which is in javascript

Now which method should i use to authenticate the token??
I got suggestions to directly call the api which will authenticate the token and follow api path , instead of package . But i feel, if forgot password works then there should be token verification function too.

I tried this too

 var query = {
        userId: userInfo.id,
        queryParams:{
            sendEmail : false,
            provider: 'OKTA'
        }
    };

    oktaUser.resetPassword(query).then(function(token){
        console.log(token);
        return resolve();
    })

But every time user gets email, instead of setting sendEmail to false.

2

I have resolved the issue by using api. But i feel node package should provide authentication too, because on client side authentication is not secure

3

Thanks for the feedback. I think what you are asking for falls right in line with where we are going. We are currently working on the Management SDKs (the SDK that helps you with the CRUD and lifecycle of objects) and we will be introducing Authentication APIs as well.

1 Like
4

There is also a discussion about this on Github: https://github.com/okta/okta-sdk-nodejs/issues/22

As Tom said, this is something we are currently working on. I’ll update here and on Github when we’ve added better support for Node.

5

I understand this post is old. But, I am looking to resolve something similar to this as well. Doesnt seem like it has been resolved yet either. It seems this could easily be handled if the Authentication API POST for Forgot Password with Email worked exactly like the Forgot Password with SMS Factor. If a code was sent via email instead and the response include a state token was given in the response. I could easily manage the authentication and not worry about a email link with token. Seems that everything needed is there including the email for factor code.

6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.