Force a New User to Change Password on the First Login

Last Updated: Dec 2, 2024

Overview

This article provides steps to force a new user to reset their password upon their first login attempt. This requirement can arise from a need to enhance security or when user accounts are pre-created.

Applies To

  • Change Password
  • First Login
  • Actions

Solution

The following options are available to achieve this functionality:

Option 1: Utilize a Post-Login Action and a Post-Change Password Action

This option uses a combination of two actions in Auth0: a post-login action and a post-change password action.

  1. Post-Login Action: This action checks the logic for when the user is allowed to access the application based on the needsPasswordReset flag.
// Post-login action to force password reset on first login

exports.onExecutePostLogin = async (event, api) => {

  // Check the login count to determine if it's the user's first login

  const loginCount = event.stats.logins_count;

  if (loginCount === 1) {

    // Set the needsPasswordReset flag to true for the user's first login

    await api.user.setAppMetadata(event.user.user_id, { needsPasswordReset: true });

    // Deny access and prompt the user to reset their password

    api.access.deny(`Please reset your password!`);

  } else {

    // For subsequent logins, retrieve user data to check if password reset is required
    // Check if the needsPasswordReset flag exists and is set to true

    if (userData.app_metadata.needsPasswordReset === true) {

      // If the flag is true, deny access and prompt the user to reset their password
      api.access.deny(`Please reset your password!`);
    }

    // If the flag exists and is set to false, do nothing
  }
};

Post-Change Password Action : This action uses the Management API to change the user’s metadata flag value after they change their password, allowing them to login.

// Post Change Password Action to update user metadata using the management api

exports.onExecutePostChangePassword = async (event) => {
  const ManagementClient = require('auth0').ManagementClient;
  const management = new ManagementClient({
    domain: yourAuth0Domain,
    clientId: M2M_Client_ID,
    clientSecret: M2M_Client_Secret,
    scope: 'read:users update:users',
  });
  try {
    // Update the needsPasswordReset flag to false after password reset
    await management.updateAppMetadata({ id: event.user.user_id }, { needsPasswordReset: false });
  } catch (error) {
    console.error('An error occurred while updating user metadata:', error);
  }
};

Refer to the Auth0 documentation How can I use the Management API in Actions for more details on using the Management API in Actions. This combination ensures new users are prompted to reset their passwords upon first login.

Option 2: Leverage the Forms Feature

This option uses the Forms feature. A basic example of this implementation is shown below:


Create a form with a step node to obtain the new password value from the user and a flow node to update the metadata with the new password.

  • Step Node Configuration: For example, the Field ID could be “password”. This ID is used to pass the field value to the flow node.
  • Flow Node Configuration : Modify the {{fields.ID}} placeholder in the Update a User request payload to match the Field ID from the step node (e.g., {{fields.password}} ).
  1. Publish the form.
  2. Render Forms using Actions. Use the login count to determine if the user is new.
exports.onExecutePostLogin = async (event, api) => {
  const FORM_ID = 'ENTER FORM ID HERE';
  const loginCount = event.stats.logins_count;
if (loginCount === 1) {
  api.prompt.render(FORM_ID);
}
}

exports.onContinuePostLogin = async (event, api) => {}

After the password is changed, the user is logged in and the tenant logs will also confirm that the password was changed.

Option 3: Manual Password Reset Initiation via Email

This method involves creating user accounts with a random password and then initiating a password reset process.

  1. Create user accounts with a randomly generated password.
  2. Initiate the password reset for the user through one of the following methods:

This approach ensures that the user must:

  • Have access to the email address associated with their account.
  • Set their own password before their initial login.
1 Like