Yes, the flow should be:

* User tries to login to an application and realizes that he doesn't remember password
* Click on reset password

You mean the "Forgot password" link in the login page, right?

* A page shows that an email has been sent to the user (including a link to resend)

Don't we need a page for the user to fill in his password? This is the common practice. Forgot password is a link and not an action in the login screen, so the user expects to be redirected to a page. (See attachment 1 and 2)

* The user then receives an email with a link that the user clicks on

I made a proposal. See attachment 3.

* When the user has clicked on the link the user is brought to the reset password form and can insert a new password (and password confirmation)

Attachment 4

* When the user submits the reset password form the user is logged in to the realm and redirected to the application

Some applications give a feedback that the password has been saved and redirect the user to the login page. Isn't that because of some security issue? (See attachment 5).

How long the user has to click the link in the email depends on the Realm settings. By default I think it should be 15 minutes (or something along those lines).

I put this information in the email (attachment 3).

There's also other cases:

* Admin initiates reset on behalf of user - in this case a user gets a email, but once the password is changed the user is redirected to the account management pages

Proposal in attachement 6

* In the above scenario if there was not a validated email associated with the user the user is given a temporary password by the admin - on the first login with this temporary password the user is required to change it

Attachment 7