I have an API that is ASP.NET webapi2. Not .NET Core. Then I have a React SPA. I'm using Identity and Oauth2.
I'm implementing the auth system and the password reset flow has me a little stumped. The API will generate a token that is emailed to the client. The client then clicks the link to navigate somewhere.
It makes sense for the link to navigate to the client javascript app which then takes the parameters from the token and submits them to the API. The problem with this is that the client url has to be known by the API to be able to generate the link. I don't want the API to know anything about where client apps are located because that seems like dumb coupling.
Another option is the password reset link navigates directly to the API where it then redirects the user to a client app. That has the same problem that the API needs to know where the client is and it also has this nasty redirect hack.
Are there resources on this or suggestions on how this is supposed to work?
Thanks
I believe what you are looking for is the identity provider's "login" portal. Flow for a password reset is part of the identity provider, not your main application. So when your users click their password reset it sends them to the identity provider password reset page (this reset password link probably should not exist in your main app at all). Once it is reset, the user will login and be redirected to your app with a authorization token which you will exchange for a access token. The redirect would have to be configured for each application that wants to use your identity provider.