Prevent redirect after forgot password flow?
-
When a user goes through the “forgot password” flow, gets an email with a link to reset their password, submits a new password with confirm password, they are signed in and redirected to the application.
Is there any way to prevent that redirect to the application from happening? We’re using PKCE for our SPAs and we don’t want to initiate a login from anywhere but that application itself.
-
When the user arrives at the Forgot Password we capture all of the OAuth2 state, including PKCE parameters. When the user completes this flow, we replay all of this state, so the login will complete using PKCE.
If you want the Forgot Password flow to complete without this step, you can either handle Forgot Password in your SPA, or when you redirect them to the FusionAuth Forgot Password page
/password/forgot- do not provideclient_idon the request. Ifclient_idis not provided, we will assume this is not within the OAuth2 workflow and we will not attempt to log the user in at the end of the flow. In this case, the user will end up on/password/complete. -
D dee.lalwani referenced this topic on 10 Aug 2022, 03:19