Users Getting Automatically Logged Post Successful Password Reset Flow

[deelalwani]

Users Getting Automatically Logged Post Successful Password Reset Flow

Description

I'm experiencing some issues in our password rest flow, once the user completes the password reset flow they are automatically logged into the application via PKCE as the state is replayed.
We’ve removed the client_id from the url in the email and are still experiencing the same issue. We want users to end up on /password/complete

We followed the steps on this forum from @robotdan which we believe is either out of date or a bug is introduced preventing this from working as expected.
https://fusionauth.io/community/forum/topic/366/prevent-redirect-after-forgot-password-flow

Affects versions

We're currently experiencing the problem on version 1.36.8

Steps to reproduce

Steps to reproduce the behaviour:

1. Enable the password complete theme template
2. Start the Forgot Password Flow
3. Click the link received in your email (ensure this doesn't include the client_id)
4. Confirm your new password
5. Click Confirm
   At this point the user will be automatically logged into the application.

Expected behaviour

Once the user enters a new password and hits confirm, we expect them to land on /password/complete

Screenshots

Platform

Device: PC
OS: MAC
Browser: Chrome
Database: postgres

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

Related Issues

• Password Reset Workflow after Reset [SUPPORT REPORTING] #2630
• Support redirect after change password flow  #2110

[robotdan]

I think this is working as designed. Can you provide an example URL that the user is clicking on from the email?

[deelalwani]

@robotdan

An example of the user would look like the following: https://iam.test.educationperfect.io/password/change/ABuQ1qSMfWXNFhBEOZ1QvepU16mTTEXuC_JrvbxJCmY?code_challenge=kbjigSysh1qn51jTSh28i4I4di9iYNUY7Ldze5FM17Q&code_challenge_method=S256&metaData.device.name=macOS%20Chrome&metaData.device.type=BROWSER&redirect_uri=%2Fadmin%2Flogin&response_type=code&scope=offline_access&state=Rkv55G1tpbnQnfglbB368mmd5atHKnCPB3wWZcJDhgw&timezone=Pacific%2FAuckland

[robotdan]

This is all working as expected. Landing on the password complete page will only happen if we do not have any context from the original login request.

If you would prefer the user to land on the complete page, you will need to modify how you are building the URL. Ideally you'll want to leave the client_id so that the page can optionally be themed. But if you remove the redirect_uri the OAuth2 request will not be fully reconstructed and the user will land on the complete page.

[epbensimpson]

There's a problem with this - making this change also means you can't have a "Return to login" button on the "Forgot password sent" page (or in the forgot password email for that matter).

Could you please consider adding a configuration option to control this rather than relying on the theme? Using themes to control this sort of functionality is a really bad experience.

[LucasPMorris]

Related Issue: #2630

[LucasPMorris]

Related Issue: #2110