arazzo: 1.0.1
info:
  title: Google Workspace Reset a User Password
  summary: Confirm a user, set a new password forcing change at next login, sign them out.
  description: >-
    A help-desk password reset flow. The workflow confirms the user exists,
    patches a new temporary password while forcing a password change at next
    login, and signs the user out of all sessions so the old credentials can no
    longer be used. Every step spells out its request inline so the flow can be
    read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: directoryApi
  url: ../openapi/admin-sdk-directory-api.yml
  type: openapi
workflows:
- workflowId: reset-user-password
  summary: Set a temporary password for a user and revoke their existing sessions.
  description: >-
    Reads the user to confirm it exists, patches a new password with
    changePasswordAtNextLogin set, and signs the user out of all sessions to
    invalidate existing credentials.
  inputs:
    type: object
    required:
    - accessToken
    - userKey
    - newPassword
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer access token with the admin.directory.user scope.
      userKey:
        type: string
        description: Primary email, alias, or unique id of the user to reset.
      newPassword:
        type: string
        description: The new temporary password, 8-100 ASCII characters.
  steps:
  - stepId: lookupUser
    description: >-
      Confirm the user exists and capture its id before changing the password.
    operationId: getUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      primaryEmail: $response.body#/primaryEmail
  - stepId: setPassword
    description: >-
      Patch the user with the new temporary password and force a password
      change at the next login.
    operationId: patchUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    requestBody:
      contentType: application/json
      payload:
        password: $inputs.newPassword
        changePasswordAtNextLogin: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
  - stepId: revokeSessions
    description: >-
      Sign the user out of all active sessions so the previous password can no
      longer be used.
    operationId: signOutUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 204
  outputs:
    userId: $steps.setPassword.outputs.userId
    primaryEmail: $steps.lookupUser.outputs.primaryEmail