Changing User Password with Resource Owner Password Flow – Is It Safe or Should?

Get Help
,
1

Hi everyone,

I’m building a flow in my app where authenticated users can change their password directly from the UI without needing to go through an email link.

Setup & Goal

  • My users are in a “Username-Password-Authentication” database connection.
  • I’m using a custom backend (NestJS) with M2M Auth0 credentials to interact with the Auth0 Management API.
  • To verify the user’s identity before updating the password, I’m using the Resource Owner Password Grant:
    1. I authenticate the user with their email + old password (/oauth/token with grant_type: password) using M2M app.
    2. If that succeeds, I use the Management API to call users.update() and change their password.

Why I’m Doing It This Way

  • I want to preserve a seamless UX inside my app — no email link, no redirection.
  • I want to verify the user’s identity securely, not just accept a password change.
  • I already have JWT auth and secure backend logic to guard the route.

My Concerns

  • Is this approach safe and recommended, assuming I’m not exposing any secrets and using rate limiting?
  • The M2M app is stored securely on the backend and only has the needed scopes, but I’m wondering:
    • Is it risky to use M2M for Resource Owner Password Grant like this?
    • Does this go against best practices, even if the endpoint is well-protected?
  • Would you recommend just using the “Change Password Email” flow instead, even if it slightly affects the UX?
  • Alternatives: Is there a preferred way to verify the old password before calling the Management API?

Any advice, best practices, or real-world experiences ? Thanks in advance!

3

Hi @ines.s

Welcome to the Auth0 Community!

As long as the M2M credentials and the endpoint is not exposed without unnecessary scopes, the approach you have described seems to be safe. I would highly recommend to review our documentation regarding common issues with the Resource Owner Password Flow.

Otherwise, if you want to accomplish a seamless password change flow for your users, please take into consideration that updating the password through either the Change Password Email or the Management API, any active sessions that the user will have active will be terminated and they will be asked to re-authenticate.

In my personal opinion, I would recommend to use a password change email, since the resource owner password flow can open up several issues as mentioned in the documentation linked above.

In regards to checking the old password, we do not have any out-of-the-box solutions regarding such an implementation, we usually recommend to use the Resource Owner Password Flow as you are doing in your use case.

If you have any other questions, let me know!

Kind Regards,
Nik

1 Like
4

Thank you so much for the response and clarification — really grateful for the help!