Problem statement
We have a requirement to block users from logging in until they have reset their password for the first time. Is there any way we can achieve this?
Solution
In order to block a user from accessing your application until they complete a password change request, you might want to consider denying a login attempt based on the user’s email_verified attribute. When creating a user for the first time, the email_verified field will be set to false which can be evaluated in a Post-Login Action to deny a login if their email has yet to be verified.
We recommend using the email_verified attribute because, once a user goes through the email password change flow, the email_verified attribute will automatically be updated to true after a successful password change. This is because the process of an end user accessing the password reset link in an email proves ownership of that email address and thus their ‘email_verified’ attribute can be implicitly updated to ‘true’.