Auth0 Home Blog Docs

Auto login after reset password

password-reset
reset-password

#1

Hi
We are directing the user back to our site as soon as they set their password through the auth0 hosted change password screen and reset password flow.

I was kind of expecting a valid session to be created during the reset password flow, meaning that a call to checkSession would return back an access token and we would show the user as logged in without them being forced to re-enter their password.

Is that possible with the hosted change password page?

Thanks


#2

I have the same need. I was also expecting that after inputing his new password the user would be logged in.

I found another issue (kind of related): Get Magic Link for Passwordless Login for Personalized Login E-mail , so I guess it’s not possible.

Right now I’m using a trick for new users. I’m setting a password that we generate server side, use the password with the ‘/oauth/token’ API to get the tokens and use them to create a redirect url that I feed to the’/api/v2/tickets/password-change’ API. It returns me an link that allows the user to change his password and then redirect him to the site with valid credentials.

Sadly, it works only for the new users. Those who already have a password and want to change it will not be logged once changed, as I did not find a way to generate them the proper credentials without knowing their password.

Am I missing something? Is there an API endpoint to generate an accessToken without specifying the user password? (by providing the client private key for example).


#4

I should be able to generate a link that allows anyone to log in as a user of my choice through the impersonation API. https://auth0.com/docs/user-profile/user-impersonation
I guess this was NOT meant to be used to log real users, and I don’t want to use it if Auth0 will not support this usage. It feels too much like a hack.

What are our choices? The only solution I currently see is to code the whole changePassword process ourself, sending our own emails, using our own APIs and generating the redirection link when saving the password.


#5

Hey, do you mind sharing how you created the redirect url from the /oauth/token API please?