I’ve not been able to find the answer to this question in Auth0 documentation though it is possibly there and I’m missing it. Here is our situation:
Custom Hosted Login Page (HLP)
We support email account, Google, and FB accounts
A user exists in Auth0 but is social only (e.g. Google)
user clicks on “Forgot Password?” link in our HLP
user enters email address (matches their google account) and we call auth0.WebClient.changePassword() as per this doco: Auth0.js v9 Reference
At this point, success response from Auth0. However, no email is sent. After experimenting, it seems clear that only if the user has a ‘database account’ is an email actually sent.
I completely understand getting back success if the user does not exist at all (i.e. to thwart bad actors), but if the user is in Auth0 as a social account and their email address matches what they’ve entered, and we get back a success response in our call to .changePassword() but ‘nothing happens’ (no email is sent), this leaves us with no way to help our real, valid user. We tell them we just sent them an email, but none was sent. That is surely going to anger our users.
Am I missing something in my understanding? Is there anything we can do to inform our ‘existing user’ (social only thus far) to signup rather than use ‘forgot password’ in this case?
@Joe_Tillotson did you get anywhere with this? I came here because I’m having exactly the same issue. It’s a bit of bad UX at the moment, in my opinion.
No. To the best of my knowledge, Auth0 believes that this call (via their client-side JS library - auth0.js) should effectively not return any information (good or bad) because this would allow a bad actor to determine if a user account exists or not.
I will admit, I moved on from this situation however, so I can’t swear there hasn’t been any change / movement on this. I recommend that you push on it if you are seeing the same behavior and perhaps you’ll hear something useful.
I remember trying out other organizations to see how they treated this scenario, and I found that there are definitely some ‘good organizations’ out there that do inform the user if an account exists (with the given email address) or not. Google for example, asks you to enter your name or phone number and then informs you if no account exists.
Thanks for your reply @Joe_Tillotson. Yeah, I thought that might be the case, that they’re trying not to expose information to ‘bad actors’. I still think that it would be useful for Auth0 to at least give the developer information so that they can decide how to handle it… though that said I suppose that anything client-side is vulnerable to being taken over by a bot.
Auth0 team, do you have any thoughts on this? Would be nice to be able to do something as some of my users aren’t switched on enough to remember how they logged in last.
At least the default confirmation text could be improved?
(I’m overriding languageDictionary.success.forgotPassword on the login page to help explain to the users that emails are only sent out if they have an existing account – even though that doesn’t go into the social vs database nuance.)
Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.
Wanted to reach out to know if you still require further assistance?
Hey Konrad, I supplied the initial post on this topic. Just since you poked your head in: does Auth0 have any plans (or perhaps has already?) to add richer support for allowing a client to know the following if/when an app/HLP calls the JS changePassword() function to request a password reset:
email provided in request matches existing email account
email provided in request matches existing social-only account
email provided in request does not match any existing account
I think this is not possible for those users that don’t exist this can be due to a banned account. If I am wrong then help me in enhancing my knowledge.
