Password Resets
Password resetting allows users to request access to their account if they've forgotten or lost their password. Typically, we never want to set a password for a user ourselves as this would mean that the user setting the password, also knows another users passwords.
It should be encouraged that a password is only known by the user the account belongs to, and never shared. For this reason, the auth service only provides a single public endpoint to start the password reset process for a given user.
Request Reset Token
When this endpoint is called, it'll trigger an email to be sent to the user requesting a reset with a one time url they can go to which will provide them with a screen to reset their password. Nothing else needs to be done to facilitate a password reset.
This endpoint will always return an empty successful response, even if the username or client couldn't be found. This is because if we return an error when a username cant be found, potential attackers will know that user doesn't exist and can ignore it, and if it returns a successful response only if the user can be found, they know that user definitely exists and to focus on it.
Required Attributes
- Name
client_id- Required
- Type
- string
- Description
The ID of the client the request was made to
- Name
username- Required
- Type
- string
- Description
The username of the user which needs a password reset.
Request
use Compliance\Sdk\Authentication\OAuth\Contracts\OAuthSdkInterface;
use Compliance\Sdk\Authentication\Types\Machine;
private OAuthSdkInterface $sdk;
$response = $this->sdk->v1(new Machine())->requestPasswordReset(
'example-client-id',
'john.smith@itccompliance.co.uk'
);