Hello, I am using Okta with the authjs using a custom login, resetpassword, etc using a single page app.
When I am registering an user I am using the Okta api to create the user, I can see that the user is active but when I am trying to test the reset password functionality with that user, I received an email that says:
A password reset request was made for your Okta account. If you did not make this request, please contact your system administrator immediately.
At this time your password can only be reset by an administrator. To send them a request, go to your [Sign-in Help] page. Then click the Request help link.
How can avoid that? I was expecting to see the resetPasswordUrl link there? What am I doing wrong? I donât want my users to ask the admin to get their passwords reset.
In Admin panel, check to see under Security >> Authentication >> Password to see if the policy and rule for the users permit the user to âchange passwordâ and âperform self-service password resetâ.
It seems that the group password policy is not enabled on your Okta org. Can you please send an email to support@okta.com to have this feature enabled?
Using my admin account I can see the resetPasswordLink link, that reminded me another question I have for you guys.
Is there any way to tell Okta the url for that email ? at the moment I managed to hack the emailTemplate using this https://whatever.com/pathToPasswordReset?token={recoveryToken} instead of the default href={resetPasswordLink}
Ideally I would like to give Okta the following âhttps://whatever.com/pathToPasswordResetâ and it just should be able to append at the end the ?token=${recoveryToken} bit without changing the forgot password email template, any thoughts?
Unfortunately, at the moment, the variables are hardcoded and can not be modified.
Please feel free to suggest this as a product improvement on our Okta Community by going to your Okta Admin Panel >> Help and Training >> Contribute to Ideas.
Support guys just enabled the password policies. I have 2 now, default and legacy
In default I can see:
And in Legacy I can see 2 rules:
default and legacy
In both they have the same settings you told me.
Now when I am triggering the forgot password email the response is a 403 with the following error message
{âerrorCodeâ:âE0000034â,âerrorSummaryâ:âForgot password not allowed on specified user.â,âerrorLinkâ:âE0000034â,âerrorIdâ:âoaeIHsIQCwLT8mtgSRGGSz6-gâ,âerrorCausesâ:[{âerrorSummaryâ:âForgot password is not allowed in the userâs current statusâ}]}
is there anything else that I should do ?
I will try to create that base path url suggestions later on
Hi @dragos I have deleted that user, created it again, test that the login works and then try again the reset password but I am still having a 403
{âerrorCodeâ:âE0000034â,âerrorSummaryâ:âForgot password not allowed on specified user.â,âerrorLinkâ:âE0000034â,âerrorIdâ:âoae8Ahg5b5rRqqB7g6qUz-xFgâ,âerrorCausesâ:[{âerrorSummaryâ:âForgot password is not allowed in the userâs current statusâ}]}
I am checking and the status for that user is Active
I just created a new fresh user and I am getting the same error.
I uploaded in the previous post the password rules configuration, maybe is something missing?
The best solution would be to have a ticket opened with support to further investigate the configuration. You can follow-up on the same ticket you opened previously or open a new one and mention the error and ask for assistance. One of our Support engineers will further assist you.
@esolanas I know itâs been a while while but I just resolved this same issue in my tenant.
The problem could be that the user doesnât have a Security Question set. This could happen when you have self service registration along with the login widget. Youâre simply never asked to set it. You can address or set this right away by logging the test user into the traditional login screen of your tenant. Okta will run the user through the setting of the question, security image, etc.
Your fix options, set the security question via widget (not sure if this is possible) or API, or there is a feature flag that support can turn on to âdisable the security question for recoveryâ That should clear the path for allowing SSPR.
Hello,
I have the same problem. I have double checked the policy and rule in order to allow users to change and reset passwords. Still the reset password email does not allow to reset passwords and contains âAt this time your password can only be reset by an administratorâŚâ.
Am I missing something? What should be done to allow users to reset their passwords?
Thanks
Can you please open a support case with us through an email to support@okta.com in order to have one of our Support Engineers assist you in reviewing the policies that you currently have in place?
For anyone coming across this with test accounts, the cause is likely the password policy age setting âMinimum password age is 1 daysâ.
This will prevent you from resetting the password of a test account created within the past 24h.
If you need to test your pw reset script to ensure itâs working, you can temporarily disable this setting, run the script, then re-enable when confirmed working.
