Building your agentic foundation | Save your spot!
CS-log-dark.svg

Multi-Factor Authentication (2FA) & Security

1. Password Reset Email Not Received Due to Expired Training Instance

Login attempts fail and the Forgot Password option does not trigger a password reset email. Access to the account is not granted because the expected reset communication is not received.

Root cause

The email address used for login is associated with an expired training instance, which prevents the password reset process from functioning.

Resolution

  1. Create a new training instance using a different email address.
  2. Create a new training instance using the same email address while selecting a different region instead of AWS NA.

After creating a new training instance, attempt to log in or trigger the password reset process to verify if access is restored.

2. Updating User Email Addresses Following Domain Changes

Email address updates to a new domain fail when the email field is non-editable. This occurs because the platform does not allow direct modification of existing user email addresses.

Root cause

User email addresses are immutable in Contentstack and cannot be modified once an account has been created.

Resolution

  1. Remove users with the old email domains from the organization.
  2. Re-invite users using their new email addresses.
  3. Reassign the necessary roles and permissions to the newly invited accounts.
  4. Configure alias support on the Identity Provider, such as Okta or Azure AD, if SSO is enabled.

After re-inviting the users and reassigning permissions, have the users log in with their new email addresses to verify if access is restored.

3. Live Preview Fails to Load with Third-Party Authentication

Live Preview fails to load when the application uses a third-party authentication provider and redirection. Preview windows remain empty or fail to initialize because the authentication flow is blocked.

Root cause

Live Preview does not support third-party OAuth authentication flows because iframes block the required redirects as per documented security limitations.

Resolution

  1. Verify if the application uses third-party OAuth authentication flows (such as Keycloak) that require redirection.
  2. Refer to the Live Preview limitations documentation to confirm unsupported authentication methods.
  3. Note that this restriction is expected behavior and cannot be bypassed using Content Security Policy (CSP) changes.

After reviewing the authentication flow and documentation, verify if removing the redirection requirement for the preview environment allows the preview to load.