Based on the documentation available at:
https://support.auth0.com/center/s/article/Changing-email-verified-terminated-session
I understand that a change has been implemented such that an Auth0 session will no longer be terminated even when a password is changed via the Management API Update a User endpoint.
However, after performing the following verification steps, it appears that the Auth0 session is terminated after a password change.
Is this the correct behavior?
Furthermore, the same behavior was observed when the email address was changed, not just the password.
Verification Steps:
1.Assemble the authentication request URL in Postman and paste it into the browser’s URL bar, then press Enter.
2. Enter the ID/password on the login screen.
3. Copy the authorization code returned in the browser’s URL bar.
4. Execute a token retrieval request in Postman, configuring it with the authorization code copied in step 3, resulting in an ID Token being issued.
5. Repeat step 1.
→ Step 2 is skipped, indicating that an Auth0 session has been established.
6. Use the Management API Update a User endpoint in Postman to change the password of the logged-in user.
7. Repeat step 1.
Result:
After performing step 7, the login screen was displayed.
→ I concluded that the Auth0 session is terminated when the password is changed.