This flow is used when a user forgets their password.
The user must then enter their email address and will receive a reset password link in an email.
This is a two-part flow that includes the use of one time tokens:
- The forgot password flow generates a reset password link and is described in this document
- The set password flow runs when the link is clicked
The plugin must first be configured with an email provider in its settings:
The entry point to the forgot password flow is shown below.
The page is invoked via a GET request to a URL with this format: /authn/authentication/forgot-password:
If Username is email is not set in the Account Manager, either field can be entered:
If no input is entered, the form is not submitted.
Non-existing and existing values are both accepted, as a best security practice.
The following screen is rendered:
An email will then be received that provides the reset password link:
The forgot password flow generates a one time token, or nonce.
This is included in the above email as a query parameter for the reset password URL.
The token and the account ID are then saved in session data, to the configured data source.
The RequestHandler provides the plugin logic for this flow.
This class is injected with the following SDK objects, which implement its main behavior:
| SDK Object | Usage |
|---|---|
| AccountManager | Used to find the account for the username or email entered |
| NonceTokenIssuer | Used to issue the nonce and save it to the data source against the account |
| EmailSender | Used to send the forgot password email |
| UserPreferenceManager | Used to default the username to the previously saved value |
| AuthenticatorInformationProvider | Used to calculate the full URL when sending an email link |
The following resources can be customized as required: