Problem Statement
We noticed that the user session was terminated after updating the profile information.
Symptoms
User is logged our after using the PATCH /api/v2/users/[id] endpoint
Steps to Reproduce
- Login a user to your tenant.
- PATCH the user’s email_verified, email, password or phone number (if using SMS passwordless)
- Attempt a
prompt=none/authorize request
Cause
This is expected behavior as of the current design. As documented here,
“Generally, you clear an Auth0 session by diverting users to the /logout endpoint. However, if you call the Update a User endpoint to reset user attributes (passing values email , email_verified , phone_number , and password ), auth0.checkSession does not renew the session, and the user must re-login.”
Solution
Avoid patching these profile attributes with users who currently have a session. If users update their email_verified by clicking the link in a verification email, their session will not end so this is the ideal route.