Auth0 Home Blog Docs

Change password validation

password
change-password
set-password

#1

We have a scenario in which the user must input their current password in order to update with the new password. So far I haven’t been able to find any endpoints in the APIs to enable me to retrieve the user’s current password to check against. Is this scenario possible with Auth0?


#2

I’m also trying to solve for the same situation. I can’t find any sort of endpoint on the management API that could be used to verify a password.


#3

Auth0 does not store the password of the user, only the password hash. In saying this, can you describe why you would require this, if the user has already logged into your application?


#4

Prashant, requiring a user confirm their password before changing it is an extra layer of security to protect against, say, a user leaving their computer open or forgetting to log out on a public machine. Is there a way to verify a user’s password through the API?


#5

There’s no endpoint in any of the APIs to retrieve the user’s current password. But you can make use of Authentication API’s Authenticate User Endpoint to check if the user has entered the correct current password.

This endpoint requires you to first configure the grant types for the client. More details around this are outlined here.

P.S. This endpoint is disabled for new tenants :frowning:


#6

As Jake1 had mentioned, it’s an extra layer of security for the user.


#7

For now we have decided to backlog this particular feature until Auth0 exposes either the password hash, or we find more use cases. @jake1, as an alternative you could consider implementing this yourself, on user login store a password, salted and hashed on the server to compare against.


#8