I recently added Password Rotation integration to the post-login trigger. After that a few users who logged in, reported that no matter how many times they reset their password, they kept getting the error that their password has expired and they were never able to log in successfully. Some other users had no issues and were able to reset password and login successfully.
I compared the Raw JSON of users who have the issue with that of a user who doesn’t. I found that users who have the issue have last_password_reset field appear twice: once at the top level and once under app_metadata. Users who don’t have the issue have last_password_reset field appear only once at the top level.
When someone changes the password, only the last_password_reset field at the top level is updated. It appears that the Password Rotation integration checks last_password_reset field in app_metadata first and since it never gets updated when password changes, an error is returned.
For now I removed the integration so that our users can log in. Requesting Auth0 to fix the integration code so that I can resume using it.
Here’s a simple illustration of Raw JSON:
User with issue:
{
...
"last_password_reset": "2025-01-13T00:00:00.000Z",
...
"app_metadata": {
...
"last_password_reset": "2024-01-13T00:00:00.000Z",
...
}
}
User with no issue:
{
...
"last_password_reset": "2025-01-13T00:00:00.000Z",
...
}
Hi @saithal,
I have tested the Password Rotation integration and did not encounter any issues with it. I tested with a user who has the last_password_reset in the app_metadata and at the root level attribute. In both cases, the user was prompted to reset their password and denied access.
If this does not work, you can implement a post-login action script to mimic the same behavior. For this, I recommend referring to this related post.
Let me know if you have any additional questions.
Thanks,
Rueben
Hi @rueben.tiow
Thank you for your reply.
I couldn’t get the Password Rotation Integration work and implemented a similar feature using a custom action.
1 Like
Hi @saithal,
Thanks for the update.
Perfect, that sounds good.
Let us know if there’s anything else we can do to help.
Cheers,
Rueben
Hi @rueben.tiow
The custom action I implemented also failed for the same reason.
When I debugged the custom action, I found that when a user has last_password_reset in both the root level and in app_metadata, then in the event.user object received by the action method, the value of last_password_reset at the root level is overwritten by the value of app_metadata.last_password_reset.
When the user changes the password, only the root level attribute is updated and app_metadata.last_password_reset remains the same, causing access denied error next time the user logs in thus preventing the user from successfully logging in at all.
This appears to be an issue in Auth0 itself and not the Password Rotation integration. I’ll be creating a support ticket to get this resolved.
Thanks,
Shridhara