Reset password email not allowing users to reset, it says ask your system administrator to do so

Hello, I am using Okta with the authjs using a custom login, resetpassword, etc using a single page app.

When I am registering an user I am using the Okta api to create the user, I can see that the user is active but when I am trying to test the reset password functionality with that user, I received an email that says:

A password reset request was made for your Okta account. If you did not make this request, please contact your system administrator immediately.
At this time your password can only be reset by an administrator. To send them a request, go to your [Sign-in Help] page. Then click the Request help link.

How can avoid that? I was expecting to see the resetPasswordUrl link there? What am I doing wrong? I don’t want my users to ask the admin to get their passwords reset.

Thanks

1 Like

Hi @esolanas

In Admin panel, check to see under Security >> Authentication >> Password to see if the policy and rule for the users permit the user to “change password” and “perform self-service password reset”.

Here is an example on how it should look like

Capture

Hi @dragos, thanks for your response, but I can’t see any password rules at the password page only how to set up the password strength.

I was expecting that by default all created users should be able to handle their reset password by themselves to be honest.

Hi @esolanas

It seems that the group password policy is not enabled on your Okta org. Can you please send an email to support@okta.com to have this feature enabled?

Thanks @dragos, I just sent a support email!

Using my admin account I can see the resetPasswordLink link, that reminded me another question I have for you guys.

Is there any way to tell Okta the url for that email ? at the moment I managed to hack the emailTemplate using this https://whatever.com/pathToPasswordReset?token={recoveryToken} instead of the default href={resetPasswordLink}

Ideally I would like to give Okta the following ‘https://whatever.com/pathToPasswordReset’ and it just should be able to append at the end the ?token=${recoveryToken} bit without changing the forgot password email template, any thoughts?

Thanks!

Hi @esolanas

Unfortunately, at the moment, the variables are hardcoded and can not be modified.
Please feel free to suggest this as a product improvement on our Okta Community by going to your Okta Admin Panel >> Help and Training >> Contribute to Ideas.

@dragos

Support guys just enabled the password policies. I have 2 now, default and legacy
In default I can see:
12
And in Legacy I can see 2 rules:
default and legacy
In both they have the same settings you told me.

Now when I am triggering the forgot password email the response is a 403 with the following error message
{“errorCode”:“E0000034”,“errorSummary”:“Forgot password not allowed on specified user.”,“errorLink”:“E0000034”,“errorId”:“oaeIHsIQCwLT8mtgSRGGSz6-g”,“errorCauses”:[{“errorSummary”:“Forgot password is not allowed in the user’s current status”}]}

is there anything else that I should do ?

I will try to create that base path url suggestions later on

Thanks

Hi @esolanas

This error usually occurs if the status of the user is already in password reset status or in any other than active.

Can you test this option now with an active account and see if you are able to successfully reset the user’s password?

Hi @dragos I have deleted that user, created it again, test that the login works and then try again the reset password but I am still having a 403
{“errorCode”:“E0000034”,“errorSummary”:“Forgot password not allowed on specified user.”,“errorLink”:“E0000034”,“errorId”:“oae8Ahg5b5rRqqB7g6qUz-xFg”,“errorCauses”:[{“errorSummary”:“Forgot password is not allowed in the user’s current status”}]}

I am checking and the status for that user is Active

I just created a new fresh user and I am getting the same error.

I uploaded in the previous post the password rules configuration, maybe is something missing?

HI @esolanas

The best solution would be to have a ticket opened with support to further investigate the configuration. You can follow-up on the same ticket you opened previously or open a new one and mention the error and ask for assistance. One of our Support engineers will further assist you.

@dragos Thanks for everything

@esolanas I know it’s been a while while but I just resolved this same issue in my tenant.

The problem could be that the user doesn’t have a Security Question set. This could happen when you have self service registration along with the login widget. You’re simply never asked to set it. You can address or set this right away by logging the test user into the traditional login screen of your tenant. Okta will run the user through the setting of the question, security image, etc.

Your fix options, set the security question via widget (not sure if this is possible) or API, or there is a feature flag that support can turn on to “disable the security question for recovery” That should clear the path for allowing SSPR.