Password Reset | Angular | Password Flow

Hi @mraible ! Thanks again for the tutorials you’ve been putting online for Angular/Okta!ble I was wondering if you could point me in the right direction: I followed one of your tutorials to set up password flow for logging into okta in my Angular app. I’d like to allow my end-users to reset their password. What are my options? As I see it now, I could redirect them to Okta and let them do it there (is this possible? What’s the URL?), I could change my application to use the sign-in widget (which would be like starting all over with authentication, but maybe that’s not a bad thing if I get more functionality and less code I have to write), or there is a way I can do it with the authentication API. All of these alternatives have got me confused and I was wondering if I could reach out to you for some advice on this. Thanks!

What are you using for your backend? If you’re using Java, you could use Spring Security to the redirect to Okta for your and the login form allows password reset. This tutorial shows you how.

You could also do this with angular-oauth2-oidc. It’ll handle the redirect for you. Using the Sign-In Widget is an option too.

@mraible I just figured it out. I ended up sending a post request the the reset password endpoint in the okta Authentication API. This automically sends an email to the email address included in the params of the POST request.

Thank you for your response!

I have a web api ( core 2.0) backend. I’m acquiring an id_token from angular-oauth2-oidc on the client side. Then I’m using the id_token to authenticate with my web api and get protected resources as well as okta profile information.

Thanks for your promptness

I’m glad to hear you got it figured out! Just FYI… you should be sending an access token to your API rather than the ID token.

I was originally doing that, but the access token wasn’t providing sufficient information to do authorization based on groups in okta, and I read in the documentation that if you use just the id token, you can use it like the access token.

Is there another reason you think I should be using the access token?

id_token is all about providing identity to the client that requested it
access_token is all about authorization for a resource server

These might seem like little nuances, but the id_token that you are generating is meant for your angular client. There are a lot of libraries out there that will do audience and issue checking that will not work correctly if you pass an id_token to your resource server.

Now, that being said, you can get group information in the access token so your resource server can make the correct decisions. All you need to do is configure your authorization server to include groups in the access token :slight_smile:

I know for a fact that I’m confused, so let me know if this is outright wrong. But what I was doing before in the Angular client was asking for both the id_token and the access_token and using the access_token for authorization and id_token for authentication. The problem I was having was that I needed to send both for certain endpoint in my API and I wasn’t sure how to do that. But if the response type is just id_token, the groups I need to use for authorization are included.

As far as I could tell, the only way to do what I needed with sufficient information to do so was to either find a way to send the id_token and access_token at the same time to my web API, or I needed to have all the information I needed for both authentication and group-based authorization to be included into one token. This is the case when I make the response type id_token according to this section of the docs: