Hi Raymond, I went ahead and provided this response in the support ticket you opened. I wanted to copy it here for posterity, in case someone else needs the same information later.
I believe you should be able to pull the public key for setting a user’s password by first getting their existing password setting:
I also performed a bit of additional research with google, and found this document that seems to have a good explanation of RSA encryption and how it can be performed using a public key.
As for the required permissions, we can see this note in the document you linked:
The password can only be set by the actual identity owner or by a trusted API client application.
The way I interpret this is that the API endpoint can be used to update passwords if you are authenticated as the actual identity whose password is changing, or you may also be able to perform this change authenticated as an ORG_ADMIN.
I think it would be interesting to update the documentation, informing that the publicKeyId field needs to be obtained through the query-password-info endpoint.
I had some difficulties regarding the use of this endpoint, mainly in the creation of the encryption.
Using python I was only able to do this using PKCS#1 v1.5 padding for encryption. And I only discovered this by asking for help on stackoverflow, because in most RSA examples, we only found the PKCS1_OAEP option for public key, which was the one I used first but it doesn’t work.