Reset Password - Custom Implementation

Hi

We are trying to implement Custom Reset Password Functionality in our application using OKTA Rest API.

We have three flows to acheive this functionality.

  1. Reset password using Challange Question and Answer - This flow is working fine. Listed the steps we are taking to acheive this custom functionality
  2. Reset Password using Custom Email Factor - Not sure what needs to be done
  3. Reset Password using Custom SMS Factor - Not sure what needs to be done

For # 1 : we are using these API’s in this Order

  • Call /api/v1/authn/recovery/password
    Inout : User name Output : Recovery Token
  • Call api/v1/authn/recovery/token
    Input : Recovery Token from above Output : stateToken
  • Call /api/v1/authn/recovery/answer
    IN:: StateToken, ChallangeQuestion Answer OUT:StateToken
  • /api/v1/authn/credentials/reset_password
    IN : StateToken, NewPassword; Out:

For #2 : In this use case, if user forgets the password, we will have to show the challenge question. If user does not remember the challenge question too, we should send him an email with short lived token url and when they click on it system should validate the token and ask for a new password.

I am looking for an OKTA API for # 2 api. Please guide us.

Hi @vvravi,

If the user has forgotten the answer to the Forgotten Password question, then admin can go to the user’s profile and click on Resend Password Email and choose Temporary Password that can be sent to the user(securely) which can be used by the user to login and change the Forgotten Password question.

The same can be achieved via these APIs:

  1. POST {{okta org url}}/api/v1/users/{userId}/lifecycle/expire_password?tempPassword=true
  1. curl --location --request POST ‘https://padmagovindarajalu.oktapreview.com/api/v1/users/00utzicth69sMV7vS0h7/credentials/change_recovery_question
    –header ‘Accept: application/json’
    –header ‘Content-Type: application/json’
    –header ‘Authorization: SSWS xxx’
    –data-raw ‘{
    “password”:{“value”:“temp password”},
    “recovery_question”:{
    “question”:"What is your favorite color ? ",
    “answer”:“blue”}
    }’

We hope this helps.

Hi @vvravi

Both email and SMS factors generate a token. Using this token, you will need to start flows in Okta as follows:

Email factor

  1. Request recovery token (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "username": "dade.murphy@example.com",
  "factorType": "EMAIL",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
  1. Validate recovery token (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
 "recoveryToken": "00xdqXOE5qDZX8-PBR1bYv8AESqIFinDy3yul01tyh"
}' "https://${yourOktaDomain}/api/v1/authn/recovery/token"
  1. Answer recovery question (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
  "stateToken": "00lMJySRYNz3u_rKQrsLvLrzxiARgivP8FB_1gpmVb",
  "answer": "Annie Oakley"
}' "https://${yourOktaDomain}/api/v1/authn/recovery/answer"
  1. Reset password (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
  "stateToken": "00lMJySRYNz3u_rKQrsLvLrzxiARgivP8FB_1gpmVb",
  "newPassword": "Ch-ch-ch-ch-Changes!"
}' "https://${yourOktaDomain}/api/v1/authn/credentials/reset_password"

SMS Factor

  1. Request recovery token (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "username": "dade.murphy@example.com",
  "factorType": "SMS",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
  1. Validate recovery token (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "stateToken": "00xdqXOE5qDXX8-PBR1bYv8AESqIEinDy3yul01tyh",
  "passCode": "657866"
}' "https://${yourOktaDomain}/api/v1/authn/factors/sms/verify"
  1. Answer recovery question (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
  "stateToken": "00lMJySRYNz3u_rKQrsLvLrzxiARgivP8FB_1gpmVb",
  "answer": "Annie Oakley"
}' "https://${yourOktaDomain}/api/v1/authn/recovery/answer"
  1. Reset password (doc)
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
  "stateToken": "00lMJySRYNz3u_rKQrsLvLrzxiARgivP8FB_1gpmVb",
  "newPassword": "Ch-ch-ch-ch-Changes!"
}' "https://${yourOktaDomain}/api/v1/authn/credentials/reset_password"

Please note that in the calls above, there is the parameter stateToken which is used to link requests together. This value is generated automatically by the first call that initiates the flow (for email it’s “Validate recovery token” and for SMS it’s “Request recovery token”).

Hi dragos,

Thank you for your detailed reply. I need to understand the Email/SMS Factor flow For Reset Password when user does not remember the security challenge question.

The flow you have recommended needs to have security answer.

Please let me know.
Ravi

Hi @vvravi

There are two options in this case:

  • disable the security question for a subset of users from Admin >> Security >> Authentication >> Password >> Account Recovery >> Additional self-service recovery option (this option might require a paid feature to be enabled on your Okta tenant, if you do not have it and are eligible, please feel free to send an email to support@okta.com to have it enabled)

  • implement a custom recovery flow that either leverages the API call available here or proxies the requests to Okta up until hitting the security question - when arriving to this step, the script will need to use the API call available here to change the user’s password

Hi Dragos,

Thanks for your reply.

We do have a paid account and I only see these options in our admin account.

Also if there is an option for us to uncheck, does it mean OKTA will not give an option to recover the password using security question ?

Thanks
Ravi

Hi @vvravi

Please feel free to open a ticket with Okta Support through an email to support@okta.com and mention that you would like to check if you are eligible for the feature DISABLE_SECURITY_QUESTION_FOR_RECOVERY and, if yes, to have it active. This feature depends on the SKUs purchased.

Yes, but this applies to the users that fall under the policy based on group membership. This can be seen on top of the policy under “Assigned to groups” section.