Reset Password

The authentication action of type reset-password shows a prompt where users are asked to update their password. The Action decides on whether to show this prompt by accessing the Attributes and looking for the value of the attribute with the configured name. By default that attribute is searched in the subject attributes, it is possible to change this source location by using the attribute-source setting. The alternative locations are the context attributes and the action attributes.


Fig. 118 The reset password prompt


The following configuration options are available:

Configuration Mandatory Description
account-manager yes The account manager used to resolve the account
credential-manager yes The credential manager used to update the password
attribute yes The name of the attribute which when its value is true the action will prompt the user to reset the password (Defaults to resetPassword).
allow-skip yes If set to true, the user will be able to skip the password update.
regular-expression no A regular expression that is applied in the new password, to enforce the password’s strength
attribute-source no Location of where the configured attribute is present. Defaults to subject-attributes

Example Usage

Normally, this action would run at the login flow of an authenticator like html-form. It only shows the prompt when an attribute with the configured name (attribute) is found in the Subject Attribute and its value is true. Then the user would either update the password or skip, if that is allowed by the configuration.


The action doesn’t update any of the account attributes, so together with this action you probably want to create an event listener that acts on the event PasswordUpdatedCredentialManagerEvent. There you can choose to update your account store so that the next time the user logs in, you don’t ask for another password reset


Possible Validation Errors (prefixed as message keys with authentication-action.reset-password):

  • validation.error.password.required When the form is posted with an empty password field and allow-skip==false
  • validation.error.password.mismatch When password!=password2
  • validation.error.password.weak When the regular expression is setup and the password doesn’t match

Internal errors at runtime might occur, if

  • The subject is not found in the Subject Attributes
  • The configured account manager didn’t find the account
  • The configured credential manager can’t update the password