When a user forgets their password, the best solution is to send them an email containing a link that allows them to create a new one. AuthN ensures that the forgotten password process does not allow attackers to enumerate user accounts while provides a secure reset token to your application for delivery.
Your application must implement an endpoint (secured by SSL & HTTP Basic Auth) that expects a
token params. It should use the
account_id to decide where to
For example, a Rails application might use these params to send an email:
class AuthnController < ApplicationController def password_reset @user = User.find_by_account_id(params[:account_id]) AccountMailer.password_reset(@user, params[:token]).deliver_later end end
Set APP_PASSWORD_RESET_URL with the full URL of your password reset endpoint. For the example above, it might look like:
# development APP_PASSWORD_RESET_URL=http://localhost:3000/authn/password_reset # production APP_PASSWORD_RESET_URL=https://user:email@example.com/authn/password_reset
First, create a place for users to begin the process:
- Create a form where the user may enter an account email.
- Submit the email to AuthN. Note that AuthN always reports success.
Then, create a place for users to continue the process after clicking through your email:
- Create a form where the user may enter a new password. This form needs the
tokenthat your app sent to the user earlier.
- Submit the
tokenand new password to AuthN.
- If successful, the user will be logged in.