Reset password with code not working
Hello, for my user to change their password they call an endpoint on my api. the api gets a code and and builds the url to the code reset page.
for that i use the c# grpc looking like this:
var code = zitadelUserApi.PasswordReset(new Zitadel.User.V2.PasswordResetRequest()
{
ReturnCode = new Zitadel.User.V2.ReturnPasswordResetCode(),
UserId = identityUser.User.Id,
}).VerificationCode;
with the code i get here i build the url like this:
$"https://myzitadel.example.com/ui/login/password/init?&callback=mywebsite.com&code={code}&orgID={myorg}&userID={identityUser.User.Id}";
till here every think work but now when the user clicks the link and changes his password he get the notification that the password reset was successful but when he tries to login with the newly set password it is not a correct password. Is this a bug or am i doing something wrong? But surely the password is not changed, eventho the frontend says so.
46 Replies
Hi @boblack_zocker, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Request a code to reset a password (1) : The official API documentation shows how to request password reset codes and includes a
urlTemplate parameter that allows you to customize the reset URL with placeholders for UserID, OrgID, and Code.
2. Request a code to reset password (2) : A community discussion that clarifies you must choose between sendLink or returnCode - you cannot use both in the same request, which matches your implementation approach.
To learn more, see the sources I considered:
[1] Request a code to reset a password
[2] Request a code to reset password
Feel free to tag @Ask Inkeep with additional questions.@Rajat can u help me with this one?
@Ask Inkeep is the authRequestID needed?
Thanks for the follow-up, @boblack_zocker. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Get OIDC Auth Request details : This endpoint requires an authRequestId as a path parameter to retrieve OIDC Auth Request details by ID, obtained from the redirect URL.
2. Finalize an Auth Request and get the callback URL. : This endpoint shows how to finalize an auth request with session details, but the specific relationship to password reset flows isn't explicitly documented.
Feel free to tag @Ask Inkeep with additional questions.
hey @boblack_zocker what fersion is this?. When they are not able to change password, can they still login with the old password?.
this is v2.58.6 version. yes they still can log in. if they click on the "reset password" button in the form again and change it with this link there they can successfully change the password and log in with that one
but somehow if i build the url and they change it with the provided url from me it says it was successful but does not change it
is v2.58.6 is the zitadel version ypu are using? Do you know we are on v4+ atm?. are you a PRO customer?. This seems like a very old version that you are running
we are selfhosted. and we dont upgrade often.
okay I have to take a look at it, is this a new issue that came up OR been existing for a long time?
i just found out it is not working. i had another ticket a few weeks ago where i needed this. https://discord.com/channels/927474939156643850/1425453127288754176
its only not working if i get the code of the reset code in my api instead of directly sending it per mail
there are 2 options to make the api call
ZITADEL Docs
Request a code to reset a password..
i've set the medium to return_code and the code is returned to the api that called the zitadel request
Since the password reset appears in your UI but doesn't actually change the password, this suggests there might be:
A missing required parameter in your URL construction( i have to check more)
An issue with the code expiration (you can configure code lifetime via Secret Generator settings)
A mismatch between the expected URL format and what you're providing(highly uunlikely, but doubele check)
the only parameter i am missing is the authRequestID
have you tried appneding
authRequestID and trying again?not really, because i dont have one
can i generate one?
and for what is it used
hey @boblack_zocker checking w/ the team 🙂
hey @boblack_zocker , if you open
https://<instance-domain>/ui/login/login in an incognito window, you will have authRequestID in the URL
yes you have that if you go to the zitadel login
in my case the user is not on the login page before
in my case the api does the "reset password". and the api has no authRequestID
yes you are correct, checking again
hey @boblack_zocker I got a response internally
If you want to adhere to the OIDC standard and obtain an Access Token etc, these are the steps: https://zitadel.com/docs/guides/integrate/login-ui/oidc-standard#authorize-request
For this flow, you do need to call the /oauth/v2/authorize endpoint from Zitadel, but only to grab the “authRequest” parameter from the response. You could handle this in a hidden webview/iFRAME, or make a GET request and scrape this value from the returned HTML response.
BUT I did notice that the name of the parameter seems to have changed to requestId now. Try calling authorize, and you will be redirected to the following URL: /ui/v2/login/loginname?requestId=oidc_V2_341305873773166305
hope this helps 🙂did the team also tell if this is the missing part for making it work?
to get the authrequestId?
that missing part you mean
do get this link here working
you mean this one?
https://myzitadel.example.com/ui/login/password/init?&callback=mywebsite.com&code={code}&orgID={myorg}&userID={identityUser.User.Id}yes
no i didnt check that, i asked for getting the quth request Id and how to proceed, pls try if that works because if that works meaning the docs needs to be updated with correct steps. I/my teammates dont have a hosted custom ui with that old version(et alone a new one) so saying anything on my side without testing is not good 😅 that is why i am suggesting you to try on your end
alright i will test it 😄
thanks for undrestanding
i just tested it out and authRequestID is not the missing part
still i change the password and get the verification that the password has changed. but at the end when i try to login with the new password it says password is incorrect
so it still did not change it
i dont understand why this works when the code is sent to the user per mail directly and why its not working when i get the code in the api first and build the url excactly like its provided in the email of the user
do you see anything on your logs since you are self hosted
the only other plausible cause would be that this is an outdated version which has been already deprecated so they're not maintained.
https://zitadel.com/docs/product/roadmap
everything is correct based on what we discussed. The ONLY other issue I can think of is that the verification code might have different lifetimes or validation rules.
the
ReturnCode you mentioned above shoulld work but seems like its notcould you look into it if and how the return code works on a newer version?
i dont think its the lifetimes because if the code was not valid i would get a error like "code not found"
the code process looks like working but its not saving the password
it does
and does the code really reset the password? did u test this out too?
get code - change pw with code - login with new pw
it actually worked!
but I am testing a behaviour, my password from the api was change but I also had a password reset on login, I think that I tested both sendLunk and return code.
With
returncode you can change the passwors via api https://zitadel.com/docs/apis/resources/user_service_v2/user-service-set-password
or you can use sendLink to get a password reset on login I belive
but I will also test teh v2 endpoint if that also works or notcan u change the password in the ui if u do the url like this? https://{{zitadelinstance}}/ui/login/password/init?&code=THECODE&orgID=12345&userID=12345
I did not see the URL, but you can give it a try
but I get an error for ID missing
I am not sure if thats the right way to change the password
what id?
authRequstID?
no idea, I never tried any other way but the api way or the UI reset after the first login
like this it gives me no error but it does not work
it also says the same thing here
https://github.com/zitadel/zitadel/discussions/7262#discussioncomment-8179488
here its about getting the code from the api
that u cant use sendlink and returncode in the same call
what i am doing is that i use "return code" and then do the same url like "sendlink" would build it
if u do "sendlink" u get a mail with the code. extract that exact link and put the code in that u get with "return code"
could you try this ?
hey @boblack_zocker I cannot try it atm, pls test it and go ahead, I am not hitting the issue or maybe i am trouble having the understanding because the password changed worked on v4
pls try upgrading the instance, I can probably say that all those initial errors that were happening will go awya and you maybe able to continue
alright i'm gonna try on the newer version. thanks for your help 🙂
we have a big version mismatching, I cant say confidentely if sometuing works for me will also work for you, but as far the apis and the ui goes, it works very well, like you can see above. Now this is getting twisted into more and more specific use case which I also have not time for as the there are a lots of threads. hope this helps.
yes i understand it no problem