Recover ID and Reset Password Processes
Content
- Overview
- Multiple Process Orchestration
- Process Flow
- App Settings
- Password Reset and Recovery User Journey
- API Walkthroughs
- Error Codes
- Revision History
Overview
In the event that a user misplaces and forgets their password, they can use their registered email address or mobile number to recover their User ID, and then set a new password to replace forgotten one. The full operation is orchestrated by two distinct but related Processes, because the user will need to navigate from the client UI to complete their journey.
Multiple Process Orchestration
Most user journeys are facilitated by a single Process. However, there are some cases where ULM orchestrates and links two or more Processes together to complete a given journey.
The Recover ID Process starts the user journey and sends a verification action token to a user's verified email address or mobile number. Once the user redeems that token with the GET session/token API, the API calls the Reset Password Process that then prompts the user set a new password.
Process Flow
This table describes the Process functionality at a high level.
| Recover ID and Reset Password Process | ||
|---|---|---|
| Actors | Front-end User, Client Application, ULM Cloud. | |
| Pre-Conditions | The front-end user has a ULM User ID with a verified authN ID and a set password. | |
| The user is currently anonymous to ULM (i.e., they are not signed in). | ||
| Basic Flow | 1 | From the sign-in page, the user clicks a Forgot Password? The Recover ID Process starts here. |
| 2 | The user submits an email or mobile registered as their registered authentication identifier (authN ID). | |
| 3 | ULM locates the User ID. | |
| Notes: - If the User ID has more than one registered, verified authN ID, then the Process prompts the user with a list of obfuscated authN IDs to select one. The user must select one before the Process proceeds. - All displayed emails and mobile numbers are obfuscated according to app settings. - If the User ID does not have more than one authN ID, then the Process simply proceeds. |
||
| 4 | ULM sends a verification action token to the user's selected email/mobile. The Recover ID Process ends here. | |
| Notes: - ULM Cloud sends either a long-form, clickable link (with a the token appended to the URL), or a short-form, numeric One-Time Passcode (OTP). |
||
| 5 | The user redeems the action token. The Reset Password Process starts here. | |
| Notes: - If the user receives and clicks/taps a link, this link redirects them to the client application. - If the user receives an OTP, then they enter it directly into the client application UI. - See the notification settings under the ULM Action Tokens topic for more information. |
||
| 6 | ULM Cloud prompts the user to set a new password. | |
| 7 | The user submits their new password. | |
| Notes: - Password complexity rules are set in the MarketONE ULM Admin web application. |
||
| Post-Conditions | The user's password has been reset. The Reset Password Process ends here. | |
| Error Messages | User not found.
Note: "User not found" is not exposed to the UI as an error message. Instead, the process returns "A recovery link has been sent to the provided email address or mobile number." |
|
| The provided password does not match validation rules. | ||
| The user has reached the maximum number of failed input attempts. | ||
| Exceeded the limit OTP entry attempts. | ||
App Settings
Certain aspects of the Process' behaviour are controlled by configurable application settings.
| ULM Admin Application Settings | Description | Default Settings |
|---|---|---|
| Email Obfuscation Grouping Pattern | JSON that defines how displayed user emails are grouped together. | default=(\w{1})(\w+)?(@.*) |
| Email Obfuscation Rule | JSON that defines the masking pattern that obfuscates displayed emails. | default=$1****$3 |
| Mobile Obfuscation Grouping Pattern | JSON that defines how displayed user mobile numbers are grouped together. | default=^\(?([0-9]{1})([0-9]{2})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{3})([0-9]{1})$ |
| Mobile Obfuscation Rule | JSON that defines how the masking pattern that obfuscates displayed mobile numbers. | default=($1**)***-***$5 |
| TokenURL | Base for the action token URL to include in the notification message sent to the user's external channel. The actual token value will be appended to this String to form the complete URL. This app setting is applicable for when a user attempts to sign-in with an unverified email/mobile. When this occurs, the Process sends the token out to that email/mobile for verification. |
https://idp/user_confirm?token_value= |
| Token (long-form) Expiration | Determines the number of minutes before a verification link expires. | 10080 minutes (7 days) |
| Token (short-form) Expiration | Determines the number of minutes before a short OTP expires. This setting is not configurable, and is simply noted here for context. |
5 minutes |
| Password Complexity Rules | Defines the minimum criteria for an acceptable password. Configuration points include: - Whether or not to require at least one uppercase (A-Z) character - Whether or not to require at least one lowercase (a-z) character - Whether or not to require at least one numeric (0-9) character - The minimum password length |
A-Z: Enabled a-z: Enabled 0-9: Enabled Minimum length: 8 |
All app settings are set in the MarketONE ULM Admin web application. System managers and administrators can consult the ULM Admin User Guide.
Password Reset and Recovery User Journey
This flow illustrates the standard user journey using the Password Reset and Password Recovery Processes.
This diagram also incorporates:
- A quick resend message option (PUT session/token)
- Long-form URL and short-form OTP verification options (GET session/token)
API Walkthroughs
The following section provides guided walkthroughs of the Recover ID and Reset Password Processes.
Recover ID Scenario
An anonymous user selects to recover their User ID via their only registered authN ID (email or mobile).
Initial Request
The Process Start API initializes the Process:
| POST /process/start/recovery.PasswordRecovery.v1.0 |
|---|
<no body>
|
Response: Prompt for AuthN ID
The Process responds with a request to provide a registered, email or mobile:
| Response Body |
|---|
{
"processId": "80d248a2-ec15-428f-be42-500426fabec9",
"processName": "recovery.PasswordRecovery.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"authnIdentifier": "String"
},
"stepName": "UsernamePrompt",
"lastStep": false
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| authnIdentifier | One of the user's available Authentication Identifiers, used to identify the ULM Cloud profile. | |
Next Request: Provide user's AuthN ID
The user provides their AuthN ID, and the client passes it through the next Process Step API request:
| PUT /process/step |
|---|
{
"processId": "80d248a2-ec15-428f-be42-500426fabec9",
"parameters": {
"authnIdentifier": "bob@example.com"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data that was requested in the previous Process response. | |
| authnIdentifier | One of the user's available Authentication Identifiers, used to identify the ULM Cloud profile. | |
Response: Success
ULM delivers a notification to the email/mobile with a token and/or link which can be used to complete the password recovery. The Process ends, and returns a 200 HTTP status.
| Response Body |
|---|
{
"processId": "80d248a2-ec15-428f-be42-500426fabec9",
"processName": "recovery.PasswordRecovery.v1.0",
"lastStep": true,
"output": {
"pkat": "7c72281e-deb1-430c-be59-f3e0af71174d",
"selectedRecoveryOptionType": "EMAIL",
"selectedRecoveryOption": "b**@example.com"
}
}
|
OTP Verification and Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Reset Password Process.
The pkat is also required if the application wants to provide a quick verification message resend option on the UI, using the PUT /session/token?pkat={pkat} API.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| pkat | Unique Proof Key for Action Token that corresponds to an existing action token. See Action Tokens for more details. | |
| selectedRecoveryOptionType | Identifies the method (email or SMS) in which a recovery message was generated and delivered to. | |
| selectedRecoveryOption | Identifies the e-mail address or phone number in which a recovery message was generated and delivered to.
Sensitive data (email address / mobile number) is masked out for security concerns. |
|
Note: Even if an invalid authN ID is supplied to the Process (no matching user exists within ULM), the Process will respond as if a notification has been sent. This is a security measure to prevent malicious actors from brute-force attempts to read read responses and determine valid authN IDs. ULM will not try to deliver notifications to users who do not exist. Instead, the Process silently fails.
Reset Password Scenario - Token URL
The user receives a recovery verification message in an email/SMS. The message includes a clickable/tappable link that is composed of two parts:
- A redirect URL back to the client application.
- The actual ULM action token appended to the end of the URL.
Initial Request: User Clicks Recovery Link
The user goes to their email/SMS and clicks the link. This directs their browser to the client application that takes the token value in the URL and passes it into the GET session/token API.
| GET /session/token?value=4cba991d-83ba-4f58-85ed-18a9dc32327f |
|---|
<no body>
|
If the token is valid, this API invokes the Reset Password Process.
Response: Prompt to Set New Password
The Process responds with a request for a new password:
| Response Body |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"processName": "recovery.PasswordReset.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newPassword": "String"
},
"stepName": "NewPasswordPrompt",
"lastStep": false
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
|
stepName |
Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| newPassword | The new password, as required by the Process. | |
Next Request: User Provides New Password
The user supplies their desired new password, and the client passes it to the Process with the Process Step API.
| PUT /process/step |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"parameters": {
"newPassword": "Sp4rinkl35"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Data object that contains the data request in the previous Process response. | |
| newPassword | The new password, as supplied by the user. | |
Response: Success
If the password passes complexity validation, the Process completes its task and returns a 200 HTTP status code.
| Response Body |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"processName": "recovery.PasswordReset.v1.0",
"lastStep": true
}
|
The user must now use the new password set whenever they are prompted to provide it.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
Reset Password Scenario - OTP
The user receives a short-form custom One-Time Passcode (OTP) in an email/SMS. They must provide this OTP to the client application UI.
Initial Request
The user goes to their email/SMS and retrieves the OTP. They then enter the OTP into the client application. The application passes both the OTP and the PKAT into the GET session/token API.
| GET /session/token?customToken=549330&pkat=cd02eeae-9295-4974-b211-999bd12d64d7 |
|---|
<no body>
|
If both the OTP and PKAT are valid, this API invokes the Reset Password Process.
Response: Prompt to Set New Password
The Process responds with a request for a new password:
| Response Body |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"processName": "recovery.PasswordReset.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newPassword": "String"
},
"stepName": "NewPasswordPrompt",
"lastStep": false
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| newPassword | The new password, as required by the Process. | |
Next Request: User Provides New Password
The user supplies their desired new password, and the client passes it to the Process with the Process Step API.
| PUT /process/step |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"parameters": {
"newPassword": "Sp4rinkl35"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Data object that contains the data request in the previous Process response. | |
| newPassword | The new password, as supplied by the user. | |
Response: Success
If the password passes complexity validation, the Process completes its task and returns a 200 HTTP status code.
| Response Body |
|---|
{
"processId": "de11cb72-c03b-423f-a6ed-4e13e2c6ddd2",
"processName": "recovery.PasswordReset.v1.0",
"lastStep": true
}
|
The user must now use the new password set whenever they are prompted to provide it.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
Error Scenario: Invalid Password
If the user provides an invalid new password, the Process responds with a HTTP 400 status code.
The body includes a fieldErrors array with the reason(s) as to what went wrong:
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"stepName": "NewPasswordPrompt",
"lastStep": false,
"fieldErrors": [
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.*[0-9].*"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "blacklisted-password"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.{8,}"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.*[A-Z].*"
}
],
"lastFailedStepAction": {
"processId": "90163eaa-3d8a-4fa3-b2b5-100ea14b7a9f",
"processName": "recovery.PasswordReset.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newPassword": "String"
},
"stepName": "NewPasswordPrompt"
}
}
|
In the above example, the fieldErrors array indicates the following:
- The password fails to include at least one number (0-9)
- The password is on an internal list of commonly banned passwords
- The password fails to meet the minimum length of (8 characters)
- The password fails to include at least one capital (A-Z)
Reminder: Rules are configured under the Password Complexity Rules setting in the MarketONE ULM Admin UI.
The Process also includes a lastStepFailedAction object that repeats the previous Process step's request. The user can re-attempt their request with a different (ideally stronger) password.
| Parameter | Description | |
|---|---|---|
| processId | The unique identifier for this instance of the Process. | |
| stepName | The internal name of the step that the Process is currently on / just executed. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| fieldError | Array of possible error objects. Each object describes a separate error condition. | |
| field | The name of the specific field where the error occurred. | |
| code | An error object's internal code name. | |
| rejectedValue | The actual value that caused the error | |
| message | Optional message that describes the error. | |
| lastFailedStepAction | Object that repeats the previous Process step's details and required input. This allows the client to retry the failed request. | |
Error Codes
Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.
Common Error Codes
Process-Specific Error Codes
| HTTP Status | Format | ULM Error Code | FieldError | Description |
|---|---|---|---|---|
| 400 | validation error | NotWeakPassword | newPassword | The password provided did not meet the minimum criteria for a sufficiently complex password. |
| 400 | validation error | NotEmpty | newPassword | No password was supplied. |
| 400 | operation error | process-terminated-with-too-many-retries | N/A | Process terminated with too many failed user input attempts. |
| 400 | operation error | process-terminated-with-invalid-domain | N/A | Process terminated because of an invalid domain. |
| 400 | operation error | option-not-found | N/A | Client provided an invalid recovery option to the Process. |
Revision History
| Version | Description |
|---|---|
| 2020.09 | Added this topic. |