Hi Auth0 team,
Often users who ask a password reset with Auth0 ask 2 times for the email.
Problem: they click on the wrong email in their mailbox and they got an expired link error with Auth0 because they don’t click on the last link sent by Auth0.
Is there a way to disable this standard security feature with Auth0, as password reset emails links also has time expiration settings with the Url Lifetime
setting
Thanks a lot for your help !
Hi @clement1 ,
Thank you for posting this topic on the Auth0 Community!
I understand that you want to make the previously sent reset password link work within the URL Lifetime.
As mentioned in this article,
If the user receives multiple password reset emails, only the password link in the most recent email is valid.
The link in every email has a unique ticket number which is for securing the request. We can not disable this security feature.
Please let us know if any other queries we can assist with.
@lihua.zhang
This is very confusing for many users, especially because the error page shown on Auth0 after clicking on an expired link is absolutely not understandable by end users (see the picture bellow).
Having an error page like
“This password change link is expired for security reasons. Please click on the last link you received, or re-send
an email to recover my password”
would better fit user understanding.
Our users are in real estate, and we need this part to be much more understandable by our users, net are not digital natives.
So how can we:
- disable this behavior of expired links ?
- Customise this error page with a link to password recovery
Thanks a lot for your help
Hi @clement1 ,
Your tenant has the Classic Universal Login enabled. Unfortunately, we can not customize the error page for the Classic UL, nor disable the behavior of expired links.
The workaround is to switch to the “New Universal Login” and customize the reset password error page. Please send a PUT request to the https://{your domain}/api/v2/prompts/reset-password/custom-text/en
endpoint, with below body script:
{
"reset-password-error":{
"descriptionExpired" : "This password change link is expired for security reasons. Please click on the last link you received, or re-send an email to recover my password"
}
}
and here is how the updated error page looks like.
Reference:
Customize New Universal Login Text Prompts
Is this something you can explore?
Thanks a lot, and how do you provide the texts for different languages ?
https://{your domain}/api/v2/prompts/reset-password/custom-text/fr
https://{your domain}/api/v2/prompts/reset-password/custom-text/es
No way to easily provide as a json ?
Your below endpoints are correct! That’s the only way we update the New UL for different locales.
https://{your domain}/api/v2/prompts/reset-password/custom-text/fr
https://{your domain}/api/v2/prompts/reset-password/custom-text/es
Thanks a lot,
Where can i find a deeper doc about the prompt keys i can modify ?
https://{your domain}/api/v2/prompts/{thekey}/custom-text/fr
For example how to change the Title “Link Expired” and separately the text bellow
This doc is quite opaque: Auth0 Management API v2
I mean,
We don’t to which screen is linked every key
Moreover i’m using the New Universal Login, but looks like the error page is the Classic Universal Login
@clement1 ,
Where can I find a deeper doc about the prompt keys I can modify?
https://{your domain}/api/v2/prompts/{thekey}/custom-text/fr
For example how to change the Title “Link Expired” and separately the text below
{thekey}
is the PROMPT
To update “Link Expired”, we call the eventTitleExpired
like below.
https://{your domain}/api/v2/prompts/reset-password/custom-text/en
{
"reset-password-error":{
"descriptionExpired": "This password change link is expired for security reasons. Please click on the last link you received, or re-send an email to recover my password",
"eventTitleExpired": "your title"
}
}
1 Like
Could you please go to the “Login”, “Password Reset”, and “Multi-factor Authentication” tab and set the Customize off, and try again?
1 Like
This topic was automatically closed after 9 days. New replies are no longer allowed.