We have a password policy of not allowing the last 4 passwords which were used. But, it will let the user reset the password to the very first one that was used while creating an account. Steps to reset the password:
- request a recovery token.
- request state token using recovery token.
- Reset the password using the state token and new password.
API call to reset the password: \api/v1/authn/credentials/reset_password