Hi! I would like to protect some important user actions (like ownership transfer, account deletion) with password confirmation - the same way as Github does when someone wants to transfer ownership for repo. Is there some existing strategy for that or how can I check already authorized user password with Auth0 API one more time?
Hi @mgdskr,
I found this answer to a similar question in a support case:
You could call the /oauth/token endpoint and use the Resource Owner Password Grant to verify a password entered by a user. This essentially requesting a token again but you can perform the password grant auth request without redirecting to the login page.
Call Your API Using Resource Owner Password Flow
Your flow could be implemented by having the user enter their password, then you call the endpoint and if you get back an access token, then you know the user entered the correct password.
Keep in mind that the password grant requires a client secret, so it’s better to do this check from the backend.
Hope this helps!
Dan
2 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.