Feature: Provide reasons for password policy failure on Management API as on the Authentication API
Description: Attempting to create (POST) or update (PATCH) a user on the Management API with a password that doesn’t match the configured policy results in a 400 response with little information other than a PasswordStrengthError
Request
curl --location --request PATCH 'https://<tenant>.auth0.com/api/v2/users/<user_id>' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"password": "1"
}'
Response
{
"statusCode": 400,
"error": "Bad Request",
"message": "PasswordStrengthError: Password is too weak"
}
As we’re planning to use the Management API to create users from our own backend services and host our own change-password form, this prevents us from providing useful feedback to the user on what they need to change to comply with the policy.
Attempting to sign up a user using the Authentication API provides a different error syntax and much richer detail, which can be used to guide the user on choosing a compliant password.
Request
curl --location --request POST 'https://<tenant>.auth0.com/dbconnections/signup' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'email=<user_email>' \
--data-urlencode 'password=1' \
--data-urlencode 'connection=<connection_id>'
Response
Response
{
"name": "PasswordStrengthError",
"message": "Password is too weak",
"code": "invalid_password",
"description": {
"rules": [
{
"message": "At least %d characters in length",
"format": [
8
],
"code": "lengthAtLeast",
"verified": false
},
{
"message": "Should contain:",
"code": "shouldContain",
"verified": false,
"items": [
{
"message": "lower case letters (a-z)",
"code": "lowerCase",
"verified": false
},
{
"message": "upper case letters (A-Z)",
"code": "upperCase",
"verified": false
},
{
"message": "numbers (i.e. 0-9)",
"code": "numbers",
"verified": true
}
]
}
],
"verified": false
},
"policy": "* At least 8 characters in length\n* Should contain:\n * lower case letters (a-z)\n * upper case letters (A-Z)\n * numbers (i.e. 0-9)",
"statusCode": 400
}
It would be useful if this rich error information was included in the Management API response too - both when registering new users and updating the password for existing users.
Use-case:
We are replacing an existing system and there are a number of reasons why it would be beneficial for us to use the Management API from backend services instead of the Authentication API.
- We collect/generate additional user metadata at registration, which is beyond the restrictions set on the
user_metadata
parameter in the/signup
Autehntication API endpoint - We have our own custom password reset flow and don’t currently want to switch to the Auth0 hosted reset forms.
The limitations with feedback on the Management API mean there’s little choice but to implement password policy validation outside of Auth0 where we can pick up on the reasons for failure to message to the user, which we could otherwise have easily managed as part of our Auth0 configuration along with password history, breached credential detection etc.
Here are a number of other posts that have highlighted this issue - although I couldn’t find an existing post in the Feedback section: