Auth0 Home Blog Docs

Call to reset password provides no error when user is social only?



I’ve not been able to find the answer to this question in Auth0 documentation though it is possibly there and I’m missing it. Here is our situation:

  • Custom Hosted Login Page (HLP)
  • We support email account, Google, and FB accounts
  • A user exists in Auth0 but is social only (e.g. Google)
  • user clicks on “Forgot Password?” link in our HLP
  • user enters email address (matches their google account) and we call auth0.WebClient.changePassword() as per this doco:

At this point, success response from Auth0. However, no email is sent. After experimenting, it seems clear that only if the user has a ‘database account’ is an email actually sent.

I completely understand getting back success if the user does not exist at all (i.e. to thwart bad actors), but if the user is in Auth0 as a social account and their email address matches what they’ve entered, and we get back a success response in our call to .changePassword() but ‘nothing happens’ (no email is sent), this leaves us with no way to help our real, valid user. We tell them we just sent them an email, but none was sent. That is surely going to anger our users.

Am I missing something in my understanding? Is there anything we can do to inform our ‘existing user’ (social only thus far) to signup rather than use ‘forgot password’ in this case?