Password Reset / Post Challenge Actions Do Not Appear in Logs

Overview

A “Password Reset / Post Challenge” Action has been written. However, when finishing a Password Change successfully, it does not seem to show up on the “Success Change Password” log event.

The corresponding “scp” event does not have an Action Details tab that shows the Action execution details.

Cause

The “Password Reset / Post Challenge” trigger is meant to run when the user clicks on the password reset link in their email but BEFORE changing their password. Please see more details in the Password Reset Flow documentation. The console.log statements may not be seen in Action because of how Auth0 log events are captured. When a password change is performed, there are two log events that are relevant:

  1. Success Change Password Request (this is when the email is sent out);
  2. Success Change Password (this is when the password has already been reset).

What is not captured on the logs is when the user actually clicks on the link (i.e., the step BETWEEN the password change request and the successful change password), so a console.log on “Password Reset / Post Challenge” trigger would not be visible on the logs normally.

Solution

Verify the Action is being hit by following one of the two processes:

  1. Go to Extensions > Real-time Webtask Logs and perform any necessary setup steps. After the extension has been set up, perform the password reset flow. Clicking on the password reset link on the email will trigger the console.log which will be visible on the Extension, but not the logs because the logs do not capture the real-time data for when the user clicks on the password reset link.
  2. The other way to verify this, and that will be more visible to the user, is to do a simple redirect on the Action. An example script might be:
  exports.onExecutePostChallenge = async (event, api) => {
    api.redirect.sendUserTo('https://google.com';);
  };

For the sake of testing, use an empty request body for “onContinuePostChallenge” below “onExecutePostChallenge” here. What should be verified is that when the user clicks on the password reset link, they are redirected to Google, which will verify the Actions are running.