How to get state token on password reset flow?

Hi All,

I was able to invoke Okta API to initiate the password reset flow and I see my user status is changed to Password Reset and I am getting an email with the reset password link.

Instead of going to a Okta password reset link, I want to redirect to my own application page. My question is once I redirect to my application page, I read I can invoke Authentication | Okta Developer API. But how to get the state token?



The correct way to do this is through the /authn API. You want to call /authn/password/recovery with the JSON body set to send an email with a recovery token. Since you want the user to visit your application, you should really modify the email from Okta so that it sends a URL that goes to your application with the recovery token (Customizations → Emails → Forgot Password). When the user lands on your application strip out the recovery token and pass it to /auth/password/verify. That identifies the user and returns the state token you are looking for. Then you collect the new password from the user and call /authn/credentials/reset_password with the state token and the new password to change it.

If you are using an Okta SDK like the Java authn SDK, you would create a client object bound to the org (with the URL and API token) and then start with “recoverPassword()”, followed by “verifyRecoveryToken()”, and finally “resetPassword()”.