Hi, we are experiencing an undesirable situation related to the Change Password email. What we want is for when a User clicks on an expired/stale change-password email ticket, the user will be redirected to our domains /login page. Instead what we see is users are presented with the Auth0 hosted error page (i.e Authentication Error). We have tried setting the redirectUrl within the Change Password template to both a hardcoded value and the liquid variable, but what I have noticed is it only redirects properly when the expired email is the most recent one. Any prior emails to that do not redirect for some reason. Is this expected behavior and if so is there anything we can do to change it so that ALL expired ticket emails redirect to our custom page regardless of how old the ticket may be?
Hi there @eric.furspan, welcome to the Auth0 Community!
I’m sorry to hear about the challenges you are facing with the change password email. We briefly touch on this in our Change User Password documentation below:
The reset password link in the email is valid for one use only, and it must be used before the time specified in the
URL Lifetimefield elapses. You can modify the
URL Lifetimefield in the Dashboard where you customize the Change Password email. See the Change User Password for DB Connections Authentication API endpoint for more information.
If multiple password resets emails are requested, only the password link in the most recent email will be valid.
Perhaps changing the password directly has more of the built out functionality you are looking for presently.
However I would encourage you to head to Auth0.com/feedback and share your use case with our Product team. Each one of the submissions gets read by the team and help set the tone moving forward for features.
I think question is about the redirection if change password link in the email has been expired/used.
I am also facing same issue now.
Here are the steps:
- Initiate reset password
- click on the link from your email
- change your password
- go back again to your email and click on the link again
Now, Auth0 used to redirect to our own URL(Redirect To url in email template) with error message as query parameter. But now we are seeing a auth0 page with some error message.
Clearly we dont want that.
Thanks for the feedback James. I would echo what @shubham.goyal has said. Based on this note
“If multiple password resets emails are requested, only the password link in the most recent email will be valid”
I understand that the prior password links themselves would expire after a new one is requested, that makes total sense. What I am confused about is why the redirection functionality would break for the old ones. That is the heart of our issue here.
After speaking with another engineer this is the result of an expired ticket at that point in the past emailed links.
Got it. So just to be clear, the expectation is that all expired tickets will no longer redirect to the URL specified by the redirectUrl field?
I have same question. If it will redirect to the URL configured in
Email Template settings. If not then can we customise the above page?