Change password validation

We have a scenario in which the user must input their current password in order to update with the new password. So far I haven’t been able to find any endpoints in the APIs to enable me to retrieve the user’s current password to check against. Is this scenario possible with Auth0?

I’m also trying to solve for the same situation. I can’t find any sort of endpoint on the management API that could be used to verify a password.

Auth0 does not store the password of the user, only the password hash. In saying this, can you describe why you would require this, if the user has already logged into your application?

Prashant, requiring a user confirm their password before changing it is an extra layer of security to protect against, say, a user leaving their computer open or forgetting to log out on a public machine. Is there a way to verify a user’s password through the API?

1 Like

There’s no endpoint in any of the APIs to retrieve the user’s current password. But you can make use of Authentication API’s Authenticate User Endpoint to check if the user has entered the correct current password.

This endpoint requires you to first configure the grant types for the client. More details around this are outlined here.

P.S. This endpoint is disabled for new tenants :frowning:

As Jake1 had mentioned, it’s an extra layer of security for the user.

1 Like

For now we have decided to backlog this particular feature until Auth0 exposes either the password hash, or we find more use cases. @jake1, as an alternative you could consider implementing this yourself, on user login store a password, salted and hashed on the server to compare against.

Hi @alex.moss2516,

Found this community thread while I was searching for something else. While Auth0 does not expose the user’s password, you may use the Resource Owner Password Grant to verify the user’s password for sensitive tasks.

The actual usage of the password grant is to obtain an access token for the user. However, you can to send the incoming user’s password to the /oauth/token endpoint and if you get back a token, that means the entered password is correct.

Please note that Resource Owner Password Grant requires you to send the client_secret along with the request sent to /oauth/token endpoint. Which means you have to use a secure application such as backend application to use this grant.

Further readings:
https://auth0.com/docs/api-auth/tutorials/password-grant
https://auth0.com/docs/api/authentication#resource-owner-password

2 Likes