Sample Password Rotation Action

Last Updated: Sep 12, 2024

Overview

When using the built-in password rotation action, only an error is sent to the application callback URL. The rest has to be handled at the application level. This article clarifies whether there is an alternative to automatically direct the user to the password reset widget.

Applies To

  • Password Rotation Action

Solution

The following is an alternative action to the built-in password rotation action. This action redirects the user to the password reset widget if passwordResetRequired() returns true.

Depending on whether the password reset page uses Classic or New Universal Login, it might be needed to add either https://DOMAIN/lo/reset (Classic) or https://DOMAIN/u/reset-verify (New) to the list of Allowed Logout URLs on each application.

NOTE: This is not application ready code, but instead provided as an example only. Customers need to create their own logic to track when to force a user to rotate their password.

exports.onExecutePostLogin = async (event, api) => {

  function passwordResetRequired(){
   //This function should contain the logic for when a user should rotate their password. It should return a boolean.
   }

  function logoutWithReturnUrl(ticketUrl) {
    return `https://${event.request.hostname}/v2/logout?client_id=${event.client.client_id}&returnTo=${encodeURIComponent(ticketUrl)}`
  }

  if (passwordResetRequired()) {
    const ManagementClient = require('auth0').ManagementClient;
    const client = new ManagementClient({
    domain: event.secrets.domain,
    clientId: event.secrets.clientId,
    clientSecret: event.secrets.clientSecret,
    });

    const r = await client.tickets.changePassword({
      user_id: event.user.user_id,
      client_id: event.client.client_id,
    });

    api.redirect.sendUserTo(logoutWithReturnUrl(r.data.ticket));
  }

};