Using native authentication in Entra External ID to run the SSPR flow for a user with email and OTP
Please read my previous post first.
The docs. are here.
You can use Graph API to reset the password as well but this way allows you to totally craft the UI.
Essentially, you use the API to reset a user’s password. You specify:
- an email address
- then, an OTP is sent to the email address, and you need to provide a way to enter it
- you send the OTP back to the API to verify
- then, you need to provide a way to enter the user’s new password
- you send the password back to the API
- optionally, you can check the status of the password reset
- the user’s password is updated
You are free to do this on one page or use multiple pages or whatever.
As before, we will use Postman.
Step 1
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/resetpassword/v1.0/start
where the parameters are:
client_id=c7...18
&challenge_type=oob redirect
&username=xxx@gmail.com The response is:
{
"continuation_token": "AQA...IAA"
}Step 2
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/resetpassword/v1.0/challenge
where the parameters are:
client_id=c7...18
&challenge_type=oob redirect
&continuation_token=AQAB... At this point, an email will be sent to the username entered above containing an OTP that needs to be entered in the next step.
The response is:
{
"continuation_token": "AQA...IAA",
"challenge_type": "oob",
"binding_method": "prompt",
"challenge_channel": "email",
"challenge_target_label": "xxx@g*******m",
"code_length": 8
}Step 3
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/resetpassword/v1.0/continue
where the parameters are:
continuation_token=AQA...
&client_id=c7...18
&grant_type=oob
&oob=29995199The response is:
{
"expires_in": 600,
"continuation_token": "AQA...IAA"
}Step 4
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/resetpassword/v1.0/submit
where the parameters are:
client_id=c7...18
&continuation_token=AQ...
&new_password=Secure1234...The response is:
{
"continuation_token": "AQA...IAA",
"poll_interval": 2
}Step 5
This step is optional.
“Lastly, since updating of the user’s configuration with the new password incurs some delay, the app can use the /poll_completion endpoint to poll Microsoft Entra for password reset status.
The minimum amount of time in seconds that the app should wait between polling requests is returned from the /submit endpoint in the poll_interval parameter.”
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/resetpassword/v1.0/poll_completion
where the parameters are:
client_id=c7...18
&continuation_token=AQA... The response is:
{
"status": "succeeded",
"continuation_token": "BeG...Q$$"
}By the way, if you get this error:
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed
or invalid. Trace ID: ec...00 Correlation ID: 7f...b8
Timestamp: 2024-04-10 21:23:26Z",
"error_codes": [
90023I’ve found that it can be caused by using the wrong continuation_token.
All good!
