Reset Password for User with Multiple Accounts

cbyrne · September 15, 2022, 4:30pm

We have users with multiple accounts and all with the same email. Our user names are in an email format. Auth0 seems to assume that it is an email.
Scenerio 1:
If the username and email match - Reset Password Succeeds
Scenerio 2:
Username and Email do not match - Reset Password Fails

Error - Unexpected end of JSON input

UserName: rs_ds@1ws.com
Email: XXX@1worldsync.com
Auth0 Seems to be flipping UserName and Email.

What can I do to fix this? Some Change in the Database ChangePassword Action Script? Can I retrieve the correct username?

Request Data from Logs
Success Change Password Request
{
“date”: “2022-09-15T15:50:08.557Z”,
“type”: “scpr”,
“description”: “We’ve just sent you an email to reset your password.”,
“connection”: “UMA”,
“connection_id”: “con_sb9mlgboQml5Mi2K”,
“client_id”: “dqNOY3lrCcfLjyqu3SqFzAThTeJZ10OD”,
“client_name”: “Item Management”,
“ip”: “4.35.103.2”,
“user_agent”: “Chrome 105.0.0 / Windows 10.0.0”,
“details”: {
“body”: {
“tenant”: “1worldsync-dev”,
“client_id”: “dqNOY3lrCcfLjyqu3SqFzAThTeJZ10OD”,
“connection”: “UMA”,
“email”: “rs_ds@1ws.com”,
“verify”: true,
“debug”: false
}
},
“user_id”: “auth0|7508”,
“user_name”: “XXX@1worldsync.com”,
“strategy”: “auth0”,
“strategy_type”: “database”,
“log_id”: “90020220915155010944404186023806782983316439231528697938”,
“_id”: “90020220915155010944404186023806782983316439231528697938”,
“isMobile”: false,
“id”: “90020220915155010944404186023806782983316439231528697938”
}

Failed Change Password
{
“date”: “2022-09-15T15:50:45.272Z”,
“type”: “fcp”,
“description”: “Unexpected end of JSON input”,
“connection”: “UMA”,
“connection_id”: “con_sb9mlgboQml5Mi2K”,
“client_id”: “dqNOY3lrCcfLjyqu3SqFzAThTeJZ10OD”,
“client_name”: “Item Management”,
“ip”: “4.35.103.2”,
“user_agent”: “Chrome 105.0.0 / Windows 10.0.0”,
“details”: {
“body”: {
“newPassword”: “",
“confirmNewPassword”: "”,
“ticket”: “Ml5rksB592byI7uePRJh99p51Tx3Xmj5”,
“tenant”: “1worldsync-dev”
},
“query”: {
“user_id”: “7508”,
“email”: “XXX@1worldsync.com”,
“username”: null,
“newPassword”: null,
“tenant”: “1worldsync-dev”,
“client_id”: “dqNOY3lrCcfLjyqu3SqFzAThTeJZ10OD”,
“connection”: “UMA”,
“resultUrl”: “{{ application.callback_domain }}”,
“markEmailAsVerified”: true,
“includeEmailInRedirect”: false
}
},
“user_id”: “”,
“user_name”: “XXX@1worldsync.com”,
“strategy”: “auth0”,
“strategy_type”: “database”,
“log_id”: “90020220915155046429157015957681029252868139887074738226”,
“_id”: “90020220915155046429157015957681029252868139887074738226”,
“isMobile”: false,
“id”: “90020220915155046429157015957681029252868139887074738226”
}

lihua.zhang · September 16, 2022, 12:12am

Hi @cbyrne ,

Could you please provide additional details about how reset password gets triggered? Did the user click on the “forgot password” link OR you called the Create the change password ticket endpoint?

Thanks!

cbyrne · September 22, 2022, 1:22pm

We spoke with one of your support engineers. Auth0 is currently unable to handle password reset when there are multiple users with the same email address.

Recap from call

We discovered that when doing the password reset flow in Auth0 the first pass of the get_user custom db script will pass the username
After the user enters a new password on the password change screen then the get_user script wills end over the email
Since you have multiple users with the same email address on your backend this means that we cannot reliably know which user initiated the password reset.

Per our discussion, I discovered this is a known issue on the Auth0 side.

Auth0 followed up on this deeper after our call and this work is prioritized for FY24.