Hi, we are experiencing an undesirable situation related to the Change Password email. What we want is for when a User clicks on an expired/stale change-password email ticket, the user will be redirected to our domains /login page. Instead what we see is users are presented with the Auth0 hosted error page (i.e Authentication Error). We have tried setting the redirectUrl within the Change Password template to both a hardcoded value and the liquid variable, but what I have noticed is it only redirects properly when the expired email is the most recent one. Any prior emails to that do not redirect for some reason. Is this expected behavior and if so is there anything we can do to change it so that ALL expired ticket emails redirect to our custom page regardless of how old the ticket may be?
Hi there @eric.furspan, welcome to the Auth0 Community!
I’m sorry to hear about the challenges you are facing with the change password email. We briefly touch on this in our Change User Password documentation below:
The reset password link in the email is valid for one use only, and it must be used before the time specified in the
URL Lifetimefield elapses. You can modify the
URL Lifetimefield in the Dashboard where you customize the Change Password email. See the Change User Password for DB Connections Authentication API endpoint for more information.
If multiple password resets emails are requested, only the password link in the most recent email will be valid.
Perhaps changing the password directly has more of the built out functionality you are looking for presently.
However I would encourage you to head to Auth0.com/feedback and share your use case with our Product team. Each one of the submissions gets read by the team and help set the tone moving forward for features.
I think question is about the redirection if change password link in the email has been expired/used.
I am also facing same issue now.
Here are the steps:
- Initiate reset password
- click on the link from your email
- change your password
- go back again to your email and click on the link again
Now, Auth0 used to redirect to our own URL(Redirect To url in email template) with error message as query parameter. But now we are seeing a auth0 page with some error message.
Clearly we dont want that.
Thanks for the feedback James. I would echo what @shubham.goyal has said. Based on this note
“If multiple password resets emails are requested, only the password link in the most recent email will be valid”
I understand that the prior password links themselves would expire after a new one is requested, that makes total sense. What I am confused about is why the redirection functionality would break for the old ones. That is the heart of our issue here.
After speaking with another engineer this is the result of an expired ticket at that point in the past emailed links.
Got it. So just to be clear, the expectation is that all expired tickets will no longer redirect to the URL specified by the redirectUrl field?
I have same question. If it will redirect to the URL configured in
Email Template settings. If not then can we customise the above page?
Thanks for looking into. Yes we are using the Universal Login Classic experience.
Same for me as well.
When you you get a chance can you please direct message me your tenant name separately? Thanks in advance!
After working with a couple engineers on going through a number of iterations on this subject. We feel we have found some inconsistencies . We are now working with the engineering team to see what we can devise of situation and the overall desired result. I will keep you both updated @shubham.goyal and @eric.furspan as we move forward. Thanks!
Following up on this topic @eric.furspan and @shubham.goyal as we heard back from Engineering. Our engineering team shared that we resolve the URL to redirect the user to based on the ticket. Since we remove all previous tickets when creating a new one, the ticket is not available and we cannot resolve the redirect URL.
The best way to get the user redirected in the case ticket is invalid, you should configure the Auth0 default error page following the instructions on: https://auth0.com/docs/universal-login/error-pages.
To further confirm our Engineering contact went as far as to test against a past stable version from the previous month and received the same result.
I can confirm that having the default error page set does not work for this use case. We have it configured and still get the “Access expired.” modal when a new token has been generated. It’s very inconvenient as users tend to click on old emails and see this often.
P.S.: I’m also using the Classic experience.
Thanks for digging into it James and getting the feedback from engineering, much appreciated.
Thank you for your working on this with us @eric.furspan!
@vincent.desmares can you direct message me your tenant when you get a chance? Thanks!
Following up on this @vincent.desmares to see if I can snag that tenant through a DM? Thanks in advance!