Does the Auth0 system provide any extensibility point for handling a “Failed Login (Incorrect Password)” event?
When the client fails to login using password auth, I want to return a more specific error code in some cases, based on user info about the account (if any) that the attempt was made against.
For example: if the user.app_metadata.must_reset_password flag is set, I want to show the client “you must reset your password” error rather than a generic “incorrect password” error. (I realize that this enables account-probing.)
There isn’t an extensibility point for incorrect password like with post-login or change-password.
If this is the main use case, you may want to consider using a different pattern. If you are enforcing a password reset for your user, you should let them authenticate with the existing password, then use an action/rule to throw an error instructing them to reset their password.