We want to use either the authentication or management API to update a users password
Preferably the mananagement api, so we can call it from our back end.
/api/v2/users/{id}
However, we dont want other people to be able to go to another users computer when they are already logged in and change the password without confirming with the old password.
We could solve this by chaining a login request with an update password request from our backend. However I don’t se any way to verify password+email using the management api?
BTW: For our login process we use the javascript sdk and call login.
We could redirect the user back to the webpage, however we dont want to store the users new password in the redirect URL or in the cache of security reasons.
The only options for changing a user’s password are documented at the link below:
Triggering a password reset - user will receive a password reset email,
Manually setting the user’s password - user will not receive any notification of this from Auth0
Note that neither option supports validation of the old password. It is assumed you trust the email address of the user you have on file. You could potentially write your own app / service to validate the current password and set a new one, but in general I believe that would not be recommended.
Yes, this is what i am saying. You are not anwsering my question. I am going to do my own validation.
I need a way to verify their current password and email without calling login. Because this would mean they will be redirected.
I can call this from our own backend services.
I trust that their mail and currently signed in user account is correct. However, i dont trust that if they leave their tab open, or their computer unlocked, that somebody could go in and change the password without knowing the old password. From what i see this is a very standard way.
I might be wrong (maybe one of the Auth0 engineers will provide a definitive response) but I am not aware of any way to do what you are trying to do, unless maybe you can use auth0.js to do a silent login e.g. with webAuth.login().