Changing Certain Profile Attributes Terminates Session

lihua.zhang · August 22, 2022, 8:19pm

Problem Statement

We noticed that the user session was terminated after updating the profile information.

Symptoms

User is logged our after using the PATCH /api/v2/users/[id] endpoint

Steps to Reproduce

Login a user to your tenant.
PATCH the user’s email_verified, email, password or phone number (if using SMS passwordless)
Attempt a prompt=none /authorize request

Cause

This is expected behavior as of the current design. As documented here,

“Generally, you clear an Auth0 session by diverting users to the /logout endpoint. However, if you call the Update a User endpoint to reset user attributes (passing values email , email_verified , phone_number , and password ), auth0.checkSession does not renew the session, and the user must re-login.”

Solution

Avoid patching these profile attributes with users who currently have a session. If users update their email_verified by clicking the link in a verification email, their session will not end so this is the ideal route.

Topic		Replies	Views
Users Forced to Login after Email Verification Knowledge Articles verification-email	1	41	July 23, 2024
Auth0 log me out after backend set email verified equal true Help login-experience , signup-prompt-new-experience	5	36	August 21, 2024
Change users email address without logout Help auth0 , management-api , email-verification , auth0-spa-js	0	3513	August 26, 2020
Session Invalid After Updating Email Help sso , session	2	5703	June 11, 2021
Editing user data (first/last name) in SPA forces re-login on refresh Help auth0 , spa , user-profile	6	4590	April 23, 2020