Password Strength

janusz.gryczman · June 10, 2020, 4:45pm

Auth0 allows to set-up different password policies (password strength) for different connections. This approach requires different databases.
It looks like group of users (clients) who have one password policy would have to share one database and users who have different password policy would have to use different database?

What if we don’t want to create a different connection and databases but have ability to set different password strength rules for different client ids within the same database.
Can someone recommend a visible approach – use rules or hooks or anything else?

tanver.hasan · June 10, 2020, 9:48pm

I think It is answered here → How to achieve two password policy for different users in same connection - #2 by nicolas_sabena

That’s not possible. Password policies apply to a DB connection (collectively a set of users) and not to an app. If you want different password policies, and those two sets of users are clearly different, then you can use two different DB connections.
If, on the other hands, you want the same set of users using the two applications, you would be in trouble if a user signs up in one app and then tries to use the other, where the password policy would be different.

At this moment, there is no workaround to achieve different password policy for same database connection

janusz.gryczman · June 11, 2020, 6:49pm

Thanks Tanver.

I tested scenario where user with the same email exists in two different connections.
I enabled the same application for the same two connections.
The situation is like this:
Connection1 [user1/pswd1, app1]
Connection2 [user1/pswd2, app1]
When I try to login to app1, only credentials user1/pswd1 are working (user1/pswd2 is not working).
Is there a rule in Auth0, which allows always FIRST created user (in my case user1/pswd1) to be pick up as a user which is allows to login, or this is just coincidence?

My second question is about SSO. Can SSO be allowed between different application even if they use two different connections?
Connection1 [user1, app1]
Connection2 [user1, app2]
Is SSO going to work between app1 and app2 for user1.

PS:
In those examples, user1 means two profiles were created, one for each connection, but with the same email address. I used different password to distinguish which credentials is working and which one is not.