Hello,
Given that email address is a unique identifier of a user & providing an ability to change the email-address via self-service should be considered a very sensitive operation, so care must be taken to verify the user’s ownership to his current logged-in account along with the ownership to his new email address before changing the user’s email is important.
-
In order to verify user’s current ownership, this can be achieved by having the user go through step-up aka prompting a user to re-enter password or challenge with MFA (if already enrolled).
-
In order to verify the ownership of the new email address, this can be achieved by sending an OTP code/verification link to the new email address. Auth0 passwordless email feature can be used to perform this.
Once the above 2 things are successfully completed, then the user’s email can be changed by calling Auth0 Management API v2 Update User endpoint.
Please do note that changing an user’s email will terminate all SSO sessions of the user for security reasons, so it is important to prompt the user to re-enter their credentials using new email address/password.
Depending on the UX experience that you’re looking for, there might be few ways to do implement this. For a generic detailed design, please see this github repo. In case, more guidance is needed, Auth0 Professional Services can definitely assist in designing/implementing an architecture to suit your UX needs along with aligning to security best practices.
Hope that helps!