Password Reset E-mal Automatically changes E-mail

When posting to https://xxx,auth0.com/dbconnections/change_password with a body of

{ "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "email": "bob@example.com", "connection": "Username-Password-Authentication" } it will send the password reset E-mail correctly. However, once I hit either the link or confirm in the E-mail, it will automatically "reset" the password without prompting the user for the new password.

Is there something I’m doing wrong or did not configure correctly?

Can you confirm a couple of things for me to investigate:

Hi @prashant ,

  1. The Change Password flow v2 is enabled
  2. No, we’re using the default E-mail.

I’ve done some further testing. If I open the E-mail on my phone and click on the link/button, it will not automatically change password with null which is what I expect since I did not specify a password in the request. However, on chrome/firefox/edge/ie on my pc, it will 9/10 times automatically change the password with null.

@jlovin thanks for clarifying. This behaviour is quite odd - I haven’t been able to reproduce this, nor have I come across it before. Which email provider/client are you using? i.e. are the emails being sent to a Gmail account, or something else?
One thing to test would be to try a different email address/client/provider to see whether this could be the issue.

@prashant I’ve been able to replicate with Outlook and GMail

Can you please try capturing a HAR file and a screen capture of this behaviour:
Generate and Analyze HAR Files. Please remove any sensitive information from the file before sending it through. You can upload it to Google Drive or Onedrive, and restrict access to the link for @auth0.com email addresses using sharelock.io.