Changing Certain Profile Attributes Terminates Session

Problem Statement

We noticed that after changing user profile attributes, user sessions got terminated. Here are the steps to reproduce:

User logs in
PATCH the user’s email_verified, email, password, or phone number (if using SMS passwordless)
Attempt a prompt=none /authorize request

Solution

This is expected behavior as of the current design. As documented here,

“Generally, you clear an Auth0 session by diverting users to the /logout endpoint. However, if you call the Update a User endpoint to reset user attributes (passing values email , email_verified , phone_number , and password ), auth0.checkSession does not renew the session, and the user must re-login.”

1 Like