Password Reset

Learn the process of implementing the SLAS password reset using the Salesforce Commerce Cloud. This allows shoppers to update their passwords and keep their accounts secure.

The process involves calling two SLAS endpoints, shopper-login:getPasswordResetToken and shopper-login:resetPassword, and providing a callback URL for the SLAS service to send the password reset token.

SLAS password reset tokens expire after 10 minutes.

  1. Set up a publicly accessible callback URL to receive webhook requests from the SLAS service and send reset tokens to shoppers via email, SMS, or other means.
  2. Configure your SLAS Client with that callback URL.
  3. Generate a unique code challenge and code verifier.
  4. Create a reset form that calls shopper-login:getPasswordResetToken with your callback URL, beginning the process.
  5. Create an update form that the shopper arrives at following the link your server sent them. The shopper provides their new password as well as the token, and their password is updated. They can then login using their new password.
  • A publicly accessible callback URL, such as an ECOM instance, Managed Runtime environment, or your own server.

    If you don't currently have a callback URL, you can use a public service such as Webhook.site for testing purposes.

  • A SLAS Client configured with your callback URL.

  1. Call the SLAS endpoint shopper-login:getPasswordResetToken to begin the password reset process.
    1. Provide your publicly accessible callback_uri that receives the webhook request from the SLAS web service with the password reset payload.
    2. Generate a unique code challenge and code verifier and store the code verifier in a secure location.
  2. The callback_uri is validated against the SLAS Client's allowed callback URLs.
  3. If the callback_uri is valid, SLAS sends a POST request to the callback URL with the password reset token, for example:
  • The SLAS web service makes an HTTP POST request with Content-Type: application/json to your callback URL. The payload contains the token, which is an eight-digit numeric value needed to reset the password, along with potential ways to contact the shopper, including the email address and phone number associated with their profile if available. Commonly, the shopper’s email_id and login_id is the same, but in Commerce Cloud, it is possible for a shopper's email address to be different than the value they use to log in, which is the login_id.
  1. The server hosting the callback URL sends the token to the shopper via email, SMS, or other means. Typically the token is sent as part of a link that a shopper can click or as a value that the shopper needs to enter in a form.
  2. The shopper provides the token to the SLAS endpoint shopper-login:resetPassword along with their new password to complete the process.

The new password must meet password complexity requires set on the B2C Commerce site, otherwise the request is rejected.

Refer to the steps in Verify SLAS Callback Requests.

The following sample code demonstrates the password reset flow using a SLAS Private Client.

Your callback URL must be accessible to the SLAS webservice. That means it cannot use an authentication mechanism for incoming requests. As a specific example, you can’t use B2C Commerce Storefront Protection with SLAS Password Reset.