We have a custom Action Form set up in our Auth0 tenant that gets called when a user must reset their password. This Auth0 Action Form uses the built-in “Password” field that allows users to set a new password. However, it doesn’t display errors when a user reuses a previous password. Instead, it silently fails and returns to our site. We’d prefer it if the set password field displayed the proper error to the user so that they can try to set a new password again on that same page.
The built-in Password field should reject passwords that don’t conform to the password policies of the Auth0 Database Connection. It appears to be doing that, but it isn’t displaying the errors to the user.
Auth0 support said “they are aware that this change password form/flow does not follow the same rules that are set on the Database Connection for a specific organization. They said that this may or may not get fixed at some point. There is no public page to track that work, either.”
So, because our clients have legal contractual requirements around passwords, we now have to implement a solution on our end, inside our own application, to handle forced password resets. I really wish Okta would fix these issues for everyone instead of forcing all of their clients to create workarounds.
Thank you for providing all of the information on this matter!
It is unfortunate that we are currently facing limitations that do now allow us to fully align the product with your client’s needs, however we do encourage you to submit Feedback on this issue, where others can vote on the suggested Feature Request. The page is monitored by our Product team, if there is plenty of interest ( votes ), this will be passed along so development and research can be sped up for this feature.
We appreciate your transparency and details provided!
This issue has been mostly resolved now. The Password History, Password Dictionary, and Personal Data settings that were enabled on the Database Connection were being followed, but when one of them triggered an error on the password reset form, the error wasn’t being displayed to the user, and the authentication process continued without giving the user authentication tokens. This is working now (thanks to Flavius from Auth0 Support) after these changes:
I wish I could change the error messaging so that it had spaces in the word before the colon. I’m also not a fan of the “Password is too weak” error in the last image. I think that should say why it’s too weak.
In any case, I’m much happier with the way this is working now.
