Reset Password
The authentication action of type reset-password shows a prompt where users are asked to update their password. The Action decides on whether to show this prompt by accessing the Attributes and looking for the value of the attribute with the configured name.
By default that attribute is searched in the subject attributes, it is possible to change this source location by using the attribute-source setting. The alternative locations are the context attributes and the action attributes.
Configuration#
The following configuration options are available:
| Configuration | Mandatory | Description |
|---|---|---|
| credential-manager | Yes | The credential manager used to update the password. |
| attribute | No | The name of the attribute which when its value is true the action will prompt the user to reset the password (Defaults to resetPassword). |
| account-manager | No/Yes | The account manager used to resolve the account. Required if the data source backing credential-manager is a legacy credentials data source. |
| allow-skip | No | If set to true, the user will be able to skip the password update. Defaults to false. |
| ask-current-password | No | If set to true, the user will be asked to provide their current password. Defaults to false. |
| regular-expression | No | A regular expression that is applied in the new password, to enforce the password’s strength. |
Example Usage#
Normally, this action would run at the login flow of an authenticator like html-form. It only shows the prompt when an attribute with
the configured name (attribute) is found in the Subject Attribute and its value is true. Then the user would either
update the password or skip, if that is allowed by the configuration.
The action doesn’t update any of the account attributes, so together with this action you probably want to create an event listener that acts on the event PasswordUpdatedCredentialManagerEvent. There you can choose to update your account store so that the next time the user logs in, you don’t ask for another password reset
Errors#
Possible Validation Errors (prefixed as message keys with authentication-action.reset-password):
validation.error.password.requiredWhen the form is posted with an empty password field andallow-skip==falsevalidation.error.password.mismatchWhenpassword!=password2validation.error.password.weakWhen the regular expression is setup and the password doesn’t matchvalidation.error.incorrect.credentialsWhen the current password is incorrect
Internal errors at runtime might occur, if
- The
subjectis not found in the Subject Attributes - The configured account manager didn’t find the account
- The configured credential manager can’t update the password
Back-channel support#
This action cannot be used in back-channel authentication.