6.2.2

• Home

Table of Contents

• System Admin Guide
• Authentication Service Admin Guide
  • Overview
  • Defining an Authentication Service Profile
  • Authenticators
  • Authentication Actions
    • Overview
    • Attribute Prompt Action
    • Auto Create Account
    • Auto Link Accounts
    • Conditional Multi-Factor
    • Data Source Transformer Action
    • Date/Time Deny Action
    • Debug Attribute Action
    • Geolocation Allow or Deny Country Action
    • Geolocation Changed Country Action
    • Geolocation Impossible Journey Action
    • Geolocation New Country Action
    • Lookup Links Action
    • Regular Expression Transformer Action
    • Remove Attribute Transformer Action
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
    • Script Transformer Action
    • Sequence Action
    • Switch Action
    • Time-based Deny Action
    • Zone Transfer
  • Multi-Factor Authentication
  • Account Linking
  • Protocol Plugins
  • Account Manager
  • Service Providers
  • Authenticator Filters
  • Single Sign-On
  • Automatic Login
  • Logout
  • Geolocation
• Token Service Admin Guide
• User Management Admin Guide
• Developer Guide
• Configuration Guide
• Glossary

Reset Password

The authentication action of type reset-password shows a prompt where users are asked to update their password. The Action decides on whether to show this prompt by accessing the Subject Attributes and looking for the value of the attribute with the configured name.

Fig. 104 The reset password prompt

Configuration

The following configuration options are available:

Configuration	Mandatory	Description
account-manager	yes	The account manager used to resolve the account
credential-manager	yes	The credential manager used to update the password
attribute	yes	The name of the attribute which when its value is true the action will prompt the user to reset the password (Defaults to resetPassword).
allow-skip	yes	If set to true, the user will be able to skip the password update.
regular-expression	no	A regular expression that is applied in the new password, to enforce the password’s strength

Example Usage

Normally, this action would run at the login flow of an authenticator like html-form. It only shows the prompt when an attribute with the configured name (attribute) is found in the Subject Attribute and its value is true. Then the user would either update the password or skip, if that is allowed by the configuration.

Note

The action doesn’t update any of the account attributes, so together with this action you probably want to create an event listener that acts on the event PasswordUpdatedCredentialManagerEvent. There you can choose to update your account store so that the next time the user logs in, you don’t ask for another password reset

Errors

Possible Validation Errors (prefixed as message keys with authentication-action.reset-password):

• validation.error.password.required When the form is posted with an empty password field and allow-skip==false
• validation.error.password.mismatch When password!=password2
• validation.error.password.weak When the regular expression is setup and the password doesn’t match

Internal errors at runtime might occur, if

• The subject is not found in the Subject Attributes
• The configured account manager didn’t find the account
• The configured credential manager can’t update the password