Item15054: Unable to reset password using an outlook.com email account
Priority: Urgent
Current State: Confirmed
Released In: 2.2.0
Target Release: minor
Applies To: Engine
Component:
Branches:
ResetPassword or UserRegistration sends a one-time access token to the user forcing them to change their password afterwards.
However when this is an email account hosted by outlook.com, those emails are preprocessed, i.e. all links are tested and rewritten to some
https://..safelinks.protection.outlook.com?url=origurl.
While doing so the one-time access token is invalidated so that the user cannot use it anymore to proceed on changing the password / confirming the account.
--
MichaelDaum - 23 Nov 2021
Any suggestion on how to address this? The obvious way is not to use Outlook. But that is not really a solution.
Do we need a different scheme?
Should we obfuscate the url?
--
BramVanOosterhout - 19 Dec 2021
I think that instead of using a one-time access token we need to come up with another approach here.
--
MichaelDaum - 19 Dec 2021