We use Auth0 for single sign-on.
Sometimes we mark users as inactive if they haven’t signed in for a while. However they are still able to reset their password, which we don’t want. We would rather they received a different email when they tried to reset their passwords, to the effect of “Contact your administrator”.
i thought a way around this could be to block inactive users, but it seems that blocked users can still reset their passwords.
Is there another way to do this?
Hi @Paul.Buck
Even if a blocked user resets their password, an unauthorized response should be returned with a description of “user is blocked” when they sign in and are redirected to your callback URL. You could handle this in your application to show a message to contact an administrator.
Hope this helps
Hi,
thanks for the response.
However, we want to send a different email to the reset email if the user is blocked, as we feel this would provide a better user experience.
We don’t want the user to go through the reset process if this is ultimately going to be pointless.
Is this possible?
Thanks
Paul
Hey @Paul.Buck ,
Thinking about it further, if you are using a paid subscription, you could try customising the Change Password email template using Liquid Syntax. The docs are:
I would still advocate handling this specific unauthorized response in your application, as a belt and braces approach.
Hope this helps
Thanks for sharing that @andyck!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.