PasswordStrengthError on Management API doesn't include

Feature: Provide reasons for password policy failure on Management API as on the Authentication API

Description: Attempting to create (POST) or update (PATCH) a user on the Management API with a password that doesn’t match the configured policy results in a 400 response with little information other than a PasswordStrengthError

Request

curl --location --request PATCH 'https://<tenant>.auth0.com/api/v2/users/<user_id>' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "password": "1"
}'

Response

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "PasswordStrengthError: Password is too weak"
}

As we’re planning to use the Management API to create users from our own backend services and host our own change-password form, this prevents us from providing useful feedback to the user on what they need to change to comply with the policy.

Attempting to sign up a user using the Authentication API provides a different error syntax and much richer detail, which can be used to guide the user on choosing a compliant password.

Request

curl --location --request POST 'https://<tenant>.auth0.com/dbconnections/signup' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'email=<user_email>' \
--data-urlencode 'password=1' \
--data-urlencode 'connection=<connection_id>'

Response

Response
{
    "name": "PasswordStrengthError",
    "message": "Password is too weak",
    "code": "invalid_password",
    "description": {
        "rules": [
            {
                "message": "At least %d characters in length",
                "format": [
                    8
                ],
                "code": "lengthAtLeast",
                "verified": false
            },
            {
                "message": "Should contain:",
                "code": "shouldContain",
                "verified": false,
                "items": [
                    {
                        "message": "lower case letters (a-z)",
                        "code": "lowerCase",
                        "verified": false
                    },
                    {
                        "message": "upper case letters (A-Z)",
                        "code": "upperCase",
                        "verified": false
                    },
                    {
                        "message": "numbers (i.e. 0-9)",
                        "code": "numbers",
                        "verified": true
                    }
                ]
            }
        ],
        "verified": false
    },
    "policy": "* At least 8 characters in length\n* Should contain:\n * lower case letters (a-z)\n * upper case letters (A-Z)\n * numbers (i.e. 0-9)",
    "statusCode": 400
}

It would be useful if this rich error information was included in the Management API response too - both when registering new users and updating the password for existing users.

Use-case:
We are replacing an existing system and there are a number of reasons why it would be beneficial for us to use the Management API from backend services instead of the Authentication API.

  1. We collect/generate additional user metadata at registration, which is beyond the restrictions set on the user_metadata parameter in the /signup Autehntication API endpoint
  2. We have our own custom password reset flow and don’t currently want to switch to the Auth0 hosted reset forms.

The limitations with feedback on the Management API mean there’s little choice but to implement password policy validation outside of Auth0 where we can pick up on the reasons for failure to message to the user, which we could otherwise have easily managed as part of our Auth0 configuration along with password history, breached credential detection etc.

Here are a number of other posts that have highlighted this issue - although I couldn’t find an existing post in the Feedback section:

Hey there!

Thanks for creating this feedback card. Let’s see who else will be interested in such improvement!

1 Like

I would really appreciate such an improvement.

Thank you for adding your +1 to it Oskar!

I see a lot of value in adding detailed reasons in the response. The logic is already implemented, someone needs to expose it in the response.
TIA. I hope engineering picks this up soon.

Make sure to upvote it @rajatmtalwar !

1 Like

Hi @konrad.sopala is there any update on this? we are also using the management api to configure password for our users and a detailed feedback on the response would be extremely helpful