Programmatic password reset request

[Jaden]

My application has a "Reset Password" button inside it. When the user clicks that button, I'd like CAS to send them its standard password reset email (the one controlled by the various cas.authn.pm.reset.mail properties). In other words, I want it to behave as if they had clicked "Forgot Password" on the CAS login screen, typed their email address, and clicked Submit.

Is this sort of behavior possible? I'm hoping for something simple like sending a GET request to CAS, but I'll take any solution I can get :-)

Thanks!

[Ray Bon]

Jaden,

Is cas 'Forgot Password' a GET or POST?

Either way, there may be some cookies or hidden form fields that might require a GET call to the log in page first.

I have done this for jMeter testing of other applications that have to go through the log in process, but not for resetting password.

Ray

On Thu, 2020-09-17 at 12:59 -0700, Jaden wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

My application has a "Reset Password" button inside it. When the user clicks that button, I'd like CAS to send them its standard password reset email (the one controlled by the various cas.authn.pm.reset.mail properties). In other words, I want it to behave as if they had clicked "Forgot Password" on the CAS login screen, typed their email address, and clicked Submit.

Is this sort of behavior possible? I'm hoping for something simple like sending a GET request to CAS, but I'll take any solution I can get :-)

Thanks!

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Jaden]

Going to the login page (via a GET request) causes the login page to load. It contains a passwordManagementForm, which has a hidden "execution" value (a large token) and a hidden "_eventId" value (set to "resetPassword") inside.

Clicking the Forgot Password button makes a POST call back to the same login page, but passes those two values along, which causes the Reset Password form to load. This form has a different "execution" value, and its "_eventId" is set to "findAccount".

Typing a username here and clicking the Submit button causes yet another POST call to the same login page to be made. This time, the new "execution", "_eventId", and "username" fields are passed along. This seems to be what causes the Reset Password email to be sent.

I could potentially have my application make all of these same calls, in the same order, passing the correct values at each step. In essence, the application would be mimicking a web browser. If this is the only approach, I can give it a try, but it feels like a bit of a hack to me. I was hoping for more of an API that my application could make a single call to.

[Ray Bon]

Jaden,

That is the extent of my familiarity with password reset.

I have never used the APIs.

Ray

[Jaden]

No worries, thanks for the info! It gives me something to try, which is already better than where I was before :-D

If anyone else knows of any APIs I might be able to call instead, I'd be very interested to get more info on those. Thanks!