I created a user within Auth0 and by default it stores the email address as the name value, but I’m not seeing that the profile contains the email address under the “email” property. I’m sitting here trying to figure out how to handle the password reset flow for a user and it appears to require that I send the user’s email address with the request.
Is there any way to either guarantee that the email property will be populated with the user’s email address or alternatively reset the account password using an identifier other than the email address (such as their Auth0 ID or something)?
You should have a user.email field and it should always be populated with the email address used when the user signs up. If you are seeing something other than that, I would suspect Something Bad Happened™. If you have a user profile where user.email is not populated with email address, can you post the user profile here?
user.name is a standard OIDC claim (well, name is a standard OIDC claim) which Auth0 appears to populate with an actual name if it can find one, the email address, or the local part of the email address.
I believe the only option for password reset is email address.
@markd I see the field populated in the Auth0 manage portal, but I can’t figure out how to actually see it in a client app without requesting that scope.
The best I’ve come up with is to add the email scope when the user consents, but that feels more like an odd workaround than how it’s supposed to work given that I’ve got the Auth0 identifier for the user without having to distinctly ask for it. Is using the email pulled from the scope really the approach I’m supposed to use here?
Right now, I’m just looking at the changePassword method on the auth0.js script (JSDoc: Global).
I’m not terribly picky one way or another, but I wasn’t able to quickly figure out how to point the user to the Universal Login flow, so I went with this approach (and of course, it requires the email field).
Hopefully one of the Auth0 folks will provide a more definitive response but I believe the short answer is yes, you must use the email address to trigger the change password flow. You could allow the user to provide a username but as you noted, in that case you would need to look up the associated email address.