06 October 2022 (v2.80)

ReachFive v2.80 adds the verification_code option as part of the password reset flow, makes it easy to disable the ROPC flow from the console, and makes it possible to keep lite profiles on file even after deleting provider identities through the API. We also fixed a couple of issues.

Password reset

You can now send a verification_code in an email as part of the forgot password workflow.

For more on the forgot password email template, see Password reset.


For additional protection, we have made it easy for you to disable the Resource Owner Password Credential (ROPC) flow. This means that API calls to the oauth/token endpoint with "grant_type": "password" are blocked with the 403 error code. We offer this ability to disable the flow, because we do not recommend this flow especially for public clients.

You can add this to your First-party Identity client directly from the ReachFive Console as shown below:

280 disable ropc flow

For more on First-party Identity clients, check out our Clients page.

Other improvements

You can now pass the keepInLiteProfile boolean in the removeUserIdentity and removeUserProvider Management API calls if you want to keep the user information in a lite profile even after performing the delete operation.

For more on lite profiles, see LITE registration.


Item Fixed

In some cases, the user profile to be merged (:uid2) with mergeUsers was still showing up in the search index.

In some cases, there were multiple profile_compromised events attached to one compromised profile instead of just one.

For more on this topic, see Identity Fraud Protection.