In Spring 23 release Salesforce introduces the Headless Identity APIs. The APIs help you separate back-end authentication processes from front-end identity experiences. There are APIs for headless username-password login, passwordless login, registration, forgot password, and guest user flows.
The headless login process is implemented using OAuth 2.0 Authorization Code grant Flow, see more here
In short the process is split into 2 parts:
- calling the authorization endpoint (
oauth2/authorize) to get the code and - calling the token endpoint (
oauth2/token) to exchange the code for the access token
Surprisingly the password expiration is not enforced in either of the endpoints. The password expiration is set in the profile (Password policies section)
The login process works after the password has expired and new access tokens are issued.
If you need to check if the password has expired it has to be done manually
The endpoint with which you check if the password has expired requires the userId, Get User Password Expiration Status and in order to get that you can call the oauth2/userinfo endpoint
The password expiration status API returns a boolean parameter which can then be returned in the login process. I have myself implemented this in the code exchange API (see code example here) and added an extra boolean parameter to the response that indicate if the password has expired or not
Yet Another Salesforce Tech Blog 
Leave a comment