Feature request: Post change password action & hook should receive the new password

krilbe · May 12, 2021, 9:58am

Feature: Post change password action and hook should receive the new password.

Description:
This would be the only way to sync a password change to an external database, when you have a database connection in the “Import Users to Auth0” mode.

Use-case:
The purpose of that mode is probably to be used under a transition period, when migrating systems from some legacy user registry to Auth0, but it’s not uncommon for such a transition to take quite some time, due to limited dev resources. In the meantime, it must be possible to sync password changes between Auth0 and the connected external database. As it is now, that’s not possible, as far as I can see.

If the new password were to be included in the data sent into the post change password action & hook, the sync would be a piece of cake. And I see no reason to exclude it. It wouldn’t pose any extra security risk, compared to to already-present login script of the database connection.

As an alternative, a database connection in the “Import Users to Auth0” could be allowed the additional scripts that are available for database connections that are not in “Import Users to Auth0” mode, in particular the “Change Password” script.

stephanie.chamblee · May 12, 2021, 11:44am

Hi @krilbe,

Thank you for submitting this feedback request along with a detailed use case!

dmoldovan · October 13, 2022, 9:07am

I’d be curious how you ended up solving this one. I’m in the same scenario

krilbe · October 13, 2022, 10:16am

To be honest I don’t quite recall, but inspecting our rules, hooks and actions I can’t really see that we do anything to forward the new password to the legacy user registry. So, I actually think that we never did solve it. Instead, I think we actually live with the problem of unsynced passwords. For the most part it’s not a big problem. Very few customers do password resets, and those who do mostly do it in the legacy systems that are still connected to our legacy user registry.

Not quite sure if the legacy systems invalidate the migrated user object in Auth0 to ensure that it’s re-fetched from the legacy user registry when logging in from a new system (connected to Auth0), or if the legacy systems do anything else to sync pwd changes to Auth0, but it would be possible at least, using the Auth0 API from the legacy systems, I presume.